Bug#371087: cyrus21-imapd: Fatal error: tls_init() failed if user cyrus is not in ssl-cert group

[Henrique de Moraes Holschuh]

On Thu, 08 Jun 2006, Sven Mueller wrote:
> > THIS would be a very bad idea.  Cyrus should be reading sensitive data as
> > root, and not asking people to give the cyrus user any access to private
> > data.  I don't think we get this right in Cyrus yet, though.
> 
> It's almost impossible to get that right, if I understand the mechanisms

You mean it is almost impossible to get that right without teaching cyrus
about privsep, and using IPC so that cyrmaster launches a priviledged
"proxy" daemon (just like postfix does) and imapd & friends ask that daemon
over IPC (probably just an unix socket) to do priviledged operations.

> > I am dead set *against* adding the cyrus user to the ssl-cert group.  Other
> > solutions, including changing documentation, default paths, etc are welcome,
> > of course.
> 
> I'm with you in restricting cyrus to what it needs to do. However, I
> don't see a better solution here than adding the cyrus user to the
> ssl-cert group. Most setups will want to use the same SSL key&cert for

Document it, and the local admin may do it if he wants to. Or he can simply
*copy* the certificate over, if he has more than one certificate and doesn't
want the cyrus user to have full access to all of them.

> Cyrus and any other SSL-enabled service (postfix, exim, apache, just to
> name a few). That's exactly what the ssl-cert group is for - IIUIC.

Looks like a *baad* mistake to me to do things this way.

> Any better solution is welcome.

Proper privsep is the only one general solution for this problem.  I can be
persuaded to add ssl-cert priviledges to cyrus on the grounds that
everything else is already being this stupid, but...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh