summaryrefslogtreecommitdiffstats
path: root/doc/wiki/HowTo.Rootless.txt
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
commitf7548d6d28c313cf80e6f3ef89aed16a19815df1 (patch)
treea3f6f2a3f247293bee59ecd28e8cd8ceb6ca064a /doc/wiki/HowTo.Rootless.txt
parentInitial commit. (diff)
downloaddovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.tar.xz
dovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.zip
Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/wiki/HowTo.Rootless.txt')
-rw-r--r--doc/wiki/HowTo.Rootless.txt119
1 files changed, 119 insertions, 0 deletions
diff --git a/doc/wiki/HowTo.Rootless.txt b/doc/wiki/HowTo.Rootless.txt
new file mode 100644
index 0000000..b9f23f7
--- /dev/null
+++ b/doc/wiki/HowTo.Rootless.txt
@@ -0,0 +1,119 @@
+Rootless Installation
+=====================
+
+It's possible to make Dovecot run under a single system user without requiring
+root privileges at any point. This shouldn't be thought of as a security
+feature, but instead simply as a way for non-admins to run Dovecot in their
+favorite mail server. It's also useful if you just wish to test Dovecot without
+messing up your system.
+
+If you think of this as a good way to achieve security, ask yourself which is
+worse:
+
+a)
+
+ * A very small possibility to get root privileges through Dovecot.
+ * A small possibility without logging in to get into system as a
+ non-privileged *dovecot* user, chrooted into an empty directory.
+ * A small possibility to get user's privileges after logging in, but no
+ possibility to read others' mails since they're saved with different UIDs
+ (plus you might also be chrooted to your own mailbox).
+
+b)
+
+ * Absolutely zero possibility to get root privileges through Dovecot.
+ * A small possibility to get into system as a mail user, possibly even without
+ logging in, and being able to read everyone's mail (and finally gaining
+ roots by exploiting some just discovered local vulnerability, unless you
+ bothered to set up a special chrooted environment).
+
+Installation
+------------
+
+Install somewhere under home directory:
+
+---%<-------------------------------------------------------------------------
+./configure --prefix=$HOME/dovecot
+make
+make install
+---%<-------------------------------------------------------------------------
+
+Dovecot is then started by running '~/dovecot/sbin/dovecot'. The example
+configuration file exists in '~/dovecot/share/doc/dovecot/example-config/' and
+needs to be copied to '~/dovecot/etc/dovecot/'.
+
+Configuration
+-------------
+
+The important settings to change for rootless installation are:
+
+ * Set usernames and group to the user which dovecot will be run under:
+
+ ---%<----------------------------------------------------------------------
+ default_internal_user = user
+ default_login_user = user
+ default_internal_group = group
+ ---%<----------------------------------------------------------------------
+
+ * Remove default chrooting from all services:
+
+ ---%<----------------------------------------------------------------------
+ service anvil {
+ chroot =
+ }
+ service imap-login {
+ chroot =
+ }
+ service pop3-login {
+ chroot =
+ }
+ ---%<----------------------------------------------------------------------
+
+ * Change listener ports:
+
+ ---%<----------------------------------------------------------------------
+ service imap-login {
+ inet_listener imap {
+ port = 10143
+ }
+ inet_listener imaps {
+ port = 10993
+ }
+ }
+ service pop3-login {
+ inet_listener pop3 {
+ port = 10110
+ }
+ inet_listener pop3s {
+ port = 10995
+ }
+ }
+ ---%<----------------------------------------------------------------------
+
+ * Change logging destination:
+
+ ---%<----------------------------------------------------------------------
+ log_path = /home/user/dovecot.log
+ ---%<----------------------------------------------------------------------
+
+ * Instead of <passdb PAM> [PasswordDatabase.PAM.txt] use for example
+ <passwd-file> [AuthDatabase.PasswdFile.txt]:
+
+ ---%<----------------------------------------------------------------------
+ passdb {
+ driver = passwd-file
+ args = /home/user/dovecot/etc/passwd
+ }
+ userdb {
+ driver = passwd
+ }
+ ---%<----------------------------------------------------------------------
+
+ Where the 'passwd' file contains the username and password for your login
+ user:
+
+ ---%<----------------------------------------------------------------------
+ user:{PLAIN}pass
+ ---%<----------------------------------------------------------------------
+
+(This file was created from the wiki on 2019-06-19 12:42)