-
@necrevistonnezr it seems like I've covered every one of your points in my messages earlier - please, let me know if you feel like I missed something.
-
No, I'm sure you missed nothing to overcome the "self-posed mindset limit".
I just assumed that the design decisions of the Dovecot maintainers themselves, major distributions like Ubuntu or projects like Mailcow - as well as the explanation by girish ("dovecot automatically steps down permissions") would be sensible - but maybe that's my limited mindset. -
The thing is that there is a guide to run dovecot not as root...
-
@girish said in Why running dovecot as root?:
I recall trying to run it as normal user but it's not worth it. It wants to access many different users (the mailbox user, the dovecot user, then permissions to intercommunicate between processes etc). So, we decided to go with what the distro guys (ubuntu) decided for us.
-
So given that the upstream project mostly sees the non-root instructions for local development and not as security improvments, we usually trust the upstream project decisions here, they know their code and especially dovecot is a battletested project anyways. So there is likely more risk for us to misconfigure it causing other side-effects than we gain from that.
-
@necrevistonnezr , it seems like you miss the fact that Dovecot created instruction afterwards.
Another thing is that if the product of your choice doesn't support best or just good enough security practices - it might be worth to change the product.@nebulon , got it, it's a pity. I would rather have all processes in Docker (including nginx) running as non-root.
But probably it's a subject for another project 'Hardened Cloudron', that doesn't seem to be in high demand, so from the product perspective I understand your choice - thanks for letting me know it! -
It's interesting that you're now suggesting that neither the maintainer of Dovecot, nor the maintainer of Ubuntu, nor the maintainer of Cloudron have the capacity or interest of "hardening" their product.
And, BTW, without giving any substantiation why this would improve security other than "root should be avoided in general". But anyway, this is tiring. Checking out. -
@necrevistonnezr this may be more of a case of slightly different priorities and taste, servers running software (and exposed to the internet) are never 100% secure, so hardening is always a bit of an ongoing process which can be as detailed as one wants. We try to strike some balance on Cloudron side, to keep things maintainable and updatable also.
-
@necrevistonnezr said in Why running dovecot as root?:
But anyway, this is tiring. Checking out.
Can't recall I've been begging you to join and participate in the discussion... In case if I did, sure - don't hesitate to explore things around - it's so much better without some kind of knowledge (and it's not a joke).
-
@nebulon said in Why running dovecot as root?:
@necrevistonnezr this may be more of a case of slightly different priorities and taste, servers running software (and exposed to the internet) are never 100% secure, so hardening is always a bit of an ongoing process which can be as detailed as one wants. We try to strike some balance on Cloudron side, to keep things maintainable and updatable also.
Thanks again - that makes perfect sense.
If I may ask - did you consider other alternatives? If so - what did you rejected and why? Would you choose Dovecot again now?Feel free to ignore my questions - that's definitely outside of the scope of the platform, would appreciate if you could share some piece of wisdom thought!
-
For anyone wondering on the same question as I did: Dovecot seems to be a standard IMAP server for now, which seems to be used on majority of servers. It claims to be written with security in mind, which doesn't seem to help to avoid privileges escalations, buffer overflow, crashes (on the same page - below).
Given the dominance of that mail server on the internet, it seems to be a go-to solution for many, just like Ubuntu, referred here above, is; so I wouldn't expect it to be replaced on Cloudron anytime soon.
Given the self-confidence of the authors, that claims that running from root is not a big deal and not providing any easily ready to use solution, I doubt that many will go extra mile to implement that on they own; given Cloudron limited resources and luck of advertising and hence focus to be security first platform, dovecot processes will remain to be running as root.
From the positive side, root owned processes are not opening any network port, so direct exploitation would be problematic.
Hope that would be of help.
