Why running dovecot as root?

potemkin_ai

Hello, I wonder if dovecot has to be running as root?

# ps aufx | grep root
root      152591  0.0  0.0   2888  1040 pts/0    Ss   10:47   0:00 /bin/sh
root      152599  0.0  0.0   7204  2912 pts/0    R+   10:47   0:00  \_ ps aufx
root      152600  0.0  0.0   3468  1556 pts/0    S+   10:47   0:00  \_ grep root
root           1  0.0  0.0  34460  3536 ?        Ss   Sep25   8:02 /usr/bin/python3 /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Mail
root          64  0.0  0.0   8284  1300 ?        S    Sep25   1:09 /usr/sbin/dovecot -c /run/dovecot.conf -F
root          75  0.0  0.0   4932   828 ?        S    Sep25   0:22  \_ dovecot/log
root          76  0.0  0.0   7684  2344 ?        S    Sep25   2:17  \_ dovecot/config

I can't seem to find any requirement for that. From what I'm aware off, Docker won't work as an efficient isolation mechanism, if root privileges obtained inside Docker container.

Please, correct me if I'm wrong!

girish

I think dovecot wants to be run as root. See first line in https://doc.dovecot.org/2.3/admin_manual/running_dovecot/ . On ubuntu, it's packaged as such as well (/usr/sbin/dovecot) . dovecot automatically steps down permissions as needed. It's a complex program having many binaries. You will also see other programs run as dovecot user with ps aux output.

I recall trying to run it as normal user but it's not worth it. It wants to access many different users (the mailbox user, the dovecot user, then permissions to intercommunicate between processes etc). So, we decided to go with what the distro guys (ubuntu) decided for us.

potemkin_ai

@girish from the link above I can see:

Dovecot can simply be started by running dovecot as root.

can != must for me.

There is something doesn't add up for me in they way of thinking. For me - a good security rule - it's to minimize attack surface, since you can never know. That is the approach of OpenBSD system, for example. Separate, minimize exposure, etc.

Dovecot has a guide on how to run in non-root: https://doc.dovecot.org/2.3/configuration_manual/howto/rootless/

At the begging they give very strange comment about a necessity to choose between chroot-ed and non-chroot-ed environment, while giving permissions to chroot without root in the section to follow.

Anyway - do you believe the manual from that link could be of any help?

Even on official Docker docs (for example) says:

Docker will run commands as the root user, which can pose significant security risks.

necrevistonnezr

@potemkin_ai From your link (emphasis added)

It’s possible to make Dovecot run under a single system user without requiring root privileges at any point. This shouldn’t be thought of as a security feature, but instead simply as a way for non-admins to run Dovecot in their favorite mail server.

potemkin_ai

@necrevistonnezr yeah, I addressed that earlier:

There is something doesn't add up for me in they way of thinking. For me - a good security rule - it's to minimize attack surface, since you can never know. That is the approach of OpenBSD system, for example. Separate, minimize exposure, etc.

For me the quote you mentioned only speaks about self-posed mindset limit.

It's like saying that you don't need airbags on the car, as usually people doesn't get in the car crash, and if they would - a seatbelt would be sufficient.

necrevistonnezr

@potemkin_ai
Well, on ubuntu, it's packaged like that, @girish explained that it steps down permissions as needed, but sure, if there's a better way to do it...

@girish said in Why running dovecot as root?:

I think dovecot wants to be run as root. See first line in https://doc.dovecot.org/2.3/admin_manual/running_dovecot/ . On ubuntu, it's packaged as such as well (/usr/sbin/dovecot) . dovecot automatically steps down permissions as needed. It's a complex program having many binaries. You will also see other programs run as dovecot user with ps aux output.

potemkin_ai

@necrevistonnezr it seems like I've covered every one of your points in my messages earlier - please, let me know if you feel like I missed something.

necrevistonnezr

No, I'm sure you missed nothing to overcome the "self-posed mindset limit".
I just assumed that the design decisions of the Dovecot maintainers themselves, major distributions like Ubuntu or projects like Mailcow - as well as the explanation by girish ("dovecot automatically steps down permissions") would be sensible - but maybe that's my limited mindset.

potemkin_ai

The thing is that there is a guide to run dovecot not as root...

necrevistonnezr

@girish said in Why running dovecot as root?:

I recall trying to run it as normal user but it's not worth it. It wants to access many different users (the mailbox user, the dovecot user, then permissions to intercommunicate between processes etc). So, we decided to go with what the distro guys (ubuntu) decided for us.

nebulon

So given that the upstream project mostly sees the non-root instructions for local development and not as security improvments, we usually trust the upstream project decisions here, they know their code and especially dovecot is a battletested project anyways. So there is likely more risk for us to misconfigure it causing other side-effects than we gain from that.

potemkin_ai

@necrevistonnezr , it seems like you miss the fact that Dovecot created instruction afterwards.
Another thing is that if the product of your choice doesn't support best or just good enough security practices - it might be worth to change the product.

@nebulon , got it, it's a pity. I would rather have all processes in Docker (including nginx) running as non-root.
But probably it's a subject for another project 'Hardened Cloudron', that doesn't seem to be in high demand, so from the product perspective I understand your choice - thanks for letting me know it!

necrevistonnezr

It's interesting that you're now suggesting that neither the maintainer of Dovecot, nor the maintainer of Ubuntu, nor the maintainer of Cloudron have the capacity or interest of "hardening" their product.
And, BTW, without giving any substantiation why this would improve security other than "root should be avoided in general". But anyway, this is tiring. Checking out.

nebulon

@necrevistonnezr this may be more of a case of slightly different priorities and taste, servers running software (and exposed to the internet) are never 100% secure, so hardening is always a bit of an ongoing process which can be as detailed as one wants. We try to strike some balance on Cloudron side, to keep things maintainable and updatable also.

potemkin_ai

@necrevistonnezr said in Why running dovecot as root?:

But anyway, this is tiring. Checking out.

Can't recall I've been begging you to join and participate in the discussion... In case if I did, sure - don't hesitate to explore things around - it's so much better without some kind of knowledge (and it's not a joke).

potemkin_ai

@nebulon said in Why running dovecot as root?:

@necrevistonnezr this may be more of a case of slightly different priorities and taste, servers running software (and exposed to the internet) are never 100% secure, so hardening is always a bit of an ongoing process which can be as detailed as one wants. We try to strike some balance on Cloudron side, to keep things maintainable and updatable also.

Thanks again - that makes perfect sense.
If I may ask - did you consider other alternatives? If so - what did you rejected and why? Would you choose Dovecot again now?

Feel free to ignore my questions - that's definitely outside of the scope of the platform, would appreciate if you could share some piece of wisdom thought!

potemkin_ai

For anyone wondering on the same question as I did: Dovecot seems to be a standard IMAP server for now, which seems to be used on majority of servers. It claims to be written with security in mind, which doesn't seem to help to avoid privileges escalations, buffer overflow, crashes (on the same page - below).

Given the dominance of that mail server on the internet, it seems to be a go-to solution for many, just like Ubuntu, referred here above, is; so I wouldn't expect it to be replaced on Cloudron anytime soon.

Given the self-confidence of the authors, that claims that running from root is not a big deal and not providing any easily ready to use solution, I doubt that many will go extra mile to implement that on they own; given Cloudron limited resources and luck of advertising and hence focus to be security first platform, dovecot processes will remain to be running as root.

From the positive side, root owned processes are not opening any network port, so direct exploitation would be problematic.

Hope that would be of help.