Bug#371087: cyrus21-imapd: Fatal error: tls_init() failed if user
cyrus is not in ssl-cert group
Sven Mueller
sm at ciphirelabs.com
Thu Jun 8 14:24:22 UTC 2006
Henrique de Moraes Holschuh wrote on 07/06/2006 21:29:
> On Wed, 07 Jun 2006, Diego Fdez. Durán wrote:
>
>>So I think that the cyrus-imapd instalallation scripts need to add the
>>cyrus user to the ssl-cert group. (I don't know if the installer already
>>add cyrus to group ssl-cert, sorry).
>
> THIS would be a very bad idea. Cyrus should be reading sensitive data as
> root, and not asking people to give the cyrus user any access to private
> data. I don't think we get this right in Cyrus yet, though.
It's almost impossible to get that right, if I understand the mechanisms
in cyrus correctly. The problem is that the only process started with
root rights is cyrmaster. However, cyrmaster doesn't handle the content
_or_ encryption of the connections itself, it leaves that to its
children (imapd, pop3d etc.), which only get started as user cyrus.
> I am dead set *against* adding the cyrus user to the ssl-cert group. Other
> solutions, including changing documentation, default paths, etc are welcome,
> of course.
I'm with you in restricting cyrus to what it needs to do. However, I
don't see a better solution here than adding the cyrus user to the
ssl-cert group. Most setups will want to use the same SSL key&cert for
Cyrus and any other SSL-enabled service (postfix, exim, apache, just to
name a few). That's exactly what the ssl-cert group is for - IIUIC.
Any better solution is welcome.
Regards,
Sven
--
--------------------- [ SECURITY NOTICE ] ---------------------
To: hmh at debian.org, 371087 at bugs.debian.org,
pkg-cyrus-imapd-debian-devel at lists.alioth.debian.org,
diego at goedi.net.
For your security, sm at ciphirelabs.com
digitally signed this message on 08 June 2006 at 14:24:23 UTC.
Verify this digital signature at http://www.ciphire.com/verify.
---------------- [ CIPHIRE DIGITAL SIGNATURE ] ----------------
Q2lwaGlyZSBTaWcuAjhobWhAZGViaWFuLm9yZywgMzcxMDg3QGJ1Z3MuZGViaWFu
Lm9yZywgcGtnLWN5cnVzLWltYXBkLWRlYmlhbi1kZXZlbEBsaXN0cy5hbGlvdGgu
ZGViaWFuLm9yZywgZGllZ29AZ29lZGkubmV0AHNtQGNpcGhpcmVsYWJzLmNvbQBl
bWFpbCBib2R5AI8EAAB8AHwAAAABAAAAFzOIRI8EAAAmAgACAAIAAgAg7o/t3Dzy
bPsZvvDtuYYYF7x4TQO6I27g898BNr7QXyQBACAy61LAMRkBt1auhEsoSXSa0Etg
0ibS51CIvYuk5gqlQvUJo+jdjreyY/Zsk6pESZg0vlR821AvNnSIxgV32eK6mkTs
U2lnRW5k
------------------ [ END DIGITAL SIGNATURE ] ------------------
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list