Difference between revisions of "File Safety Checks"

From Mailutils
Jump to navigationJump to search
m
 
(5 intermediate revisions by the same user not shown)
Line 62: Line 62:
 
=== SSL Files ===
 
=== SSL Files ===
  
These are SSL key, certificate and certificate authority (CA) files.  They are configured using <tt>tls</tt>
+
These are SSL key, certificate and certificate authority (CA) files.  They are configured using <tt>tls-file-checks</tt>
 
block statement:
 
block statement:
  
 
<source>
 
<source>
  tls {   
+
  tls-file-checks {   
  enable <arg: boolean>;              # Enable client TLS encryption. 
+
   key-file <arg: list>;  # Configures safety checks for the key file.
  ssl-key <file: string>;              # Sets the key file.
+
   cert-file <arg: list>; # Configures safety checks for the certificate file.
   key-file-safety-checks <arg: list>;  # Configures safety checks for the key file.
+
   ca-file <arg: list>;  # Configures safety checks for that file.
  ssl-cert <file: string>;            # Sets the certificate file.
 
   cert-file-safety-checks <arg: list>; # Configures safety checks for the certificate file.
 
  ssl-cafile <file: string>;          # Sets the certificate authority file.  
 
   ca-file-safety-checks <arg: list>;  # Configures safety checks for that file.
 
 
  };
 
  };
 
</source>
 
</source>
Line 79: Line 75:
 
The keywords configuring file-specific tests and their corresponding defaults are as follows:
 
The keywords configuring file-specific tests and their corresponding defaults are as follows:
  
;key-file-safety-checks
+
;key-file
 
: Safety checks for the SSL key file.  The default is: <tt>all</tt>.
 
: Safety checks for the SSL key file.  The default is: <tt>all</tt>.
  
;cert-file-safety-checks
+
;cert-file
 
: Safety checks for the SSL certificate file.  The default is: <tt>+awrfil +gwrfil +linkwrdir</tt>.
 
: Safety checks for the SSL certificate file.  The default is: <tt>+awrfil +gwrfil +linkwrdir</tt>.
  
;ca-file-safety-checks
+
;ca-file
 
: Safety checks for the SSL certificate authority file.  The default is: <tt>+awrfil +gwrfil +linkwrdir</tt>.
 
: Safety checks for the SSL certificate authority file.  The default is: <tt>+awrfil +gwrfil +linkwrdir</tt>.
  
Line 91: Line 87:
  
 
<source>
 
<source>
tls {
+
tls-file-checks {
   ssl-key "/etc/mailutils/ssl/server.key";
+
   ssl-key -grdfil;
  key-file-safety-checks -grdfil;
 
 
}
 
}
 
</source>
 
</source>
Line 99: Line 94:
 
=== The Forward File ===
 
=== The Forward File ===
  
The '''forward''' file supported by [[Maidag]] is a traditional '''dot-forward''' file controlling mail forwarding for the system user.  By default, the following checks are applied to it: <tt>awrfil gwrfil linkwrdir awrdir gwrdir</tt>.  Additionally, the file is required to be owned by the user it belongs to.  
+
The '''forward''' file supported by [[mda]] and [[lmtpd]] is a traditional '''dot-forward''' file controlling mail forwarding for the system user.  By default, the following checks are applied to it: <tt>awrfil gwrfil linkwrdir awrdir gwrdir</tt>.  Additionally, the file is required to be owned by the user it belongs to.  
 
{{Note|That latter check should perhaps be configurable too, but currently there is no way to disable it.}}
 
{{Note|That latter check should perhaps be configurable too, but currently there is no way to disable it.}}
  
Safety checks for the forward file are controlled by the <tt>forward-file-checks</tt> statement.  For example:
+
Safety checks for the forward file are controlled by the <tt>forward.file-checks</tt> statement.  For example:
  
 
<source>
 
<source>
forward-file-checks default -gwrdir;
+
forward {
 +
  # Process forward file.
 +
  file ".forward";
 +
  # Configure safety checks for the forward file.
 +
  file-checks default -gwrdir;
 +
}
 
</source>
 
</source>
 +
 +
=== DBM Files ===
 +
 +
Checks applied to various DBM files are controlled [[Database URL#param|individually]] for each database.
  
 
== See also ==
 
== See also ==

Latest revision as of 13:12, 6 November 2019

Introduction

Some files used by GNU Mailutils keep confidential information and should be accessible for a limited set of system users. Before using such files, Mailutils applies to them a series of safety checks. The file will be used only if all of the checks succeed. The number and purpose of these checks depend on the file being checked and can be configured.

Implemented Checks

For the configuration purposes, each check has a symbolic name, which can be used to request or disable it. The table below lists all file safety checks implemented so far along with their names and descriptions. The checks are listed in the order of decreasing priority, which is also the order in which they are applied.

awrfil
Fails if the file is world-writable (all-writable file).).
gwrfil
Fails if the file is group-writable (group-writable file).
linkwrdir
Fails if the file is a symbolic link located in a (world- or group-) writable directory (Linked file in writable directory).
awrdir
Fails if the file is located in a world-writable directory (all-writable directory).
gwrdir
Fails if the file is located in a group-writable directory (group-writable directory).
ardfil
Fails if the file is world-readable (all-readable file).
grdfil
Fails if the file is group-readable (group-readable file).

Configuration

Several configuration file keywords are provided to control safety checks applied to various files used by Mailutils. All of them take as their argument a white-space separated list of check names. Each check name, when listed, enables the corresponding check, unless preceded by a dash (-) which disables it. For symmetry, a name can be preceded by a plus sign, which does not alter its meaning. The checks specified this way alter the default safety checks for that particular file. For example, consider the following specification:

 -grdfil -ardfil linkwrdir

It relaxes the default set of checks by allowing the file to be group or world-readable, and tightens it on the other hand, by forbidding linked file in a writable directory.

To facilitate configuration, the following special keywords are also provided:

all
Enables all the above checks.
none
Disables all checks.
default
Stands for a default check set for the file in question.

Thus, to enable only ardfil and awrfil checks one would write:

 none +ardfil +awrfil

Checked Files

This section discussed files to which the security checks are applied.

SSL Files

These are SSL key, certificate and certificate authority (CA) files. They are configured using tls-file-checks block statement:

 tls-file-checks {   
   key-file <arg: list>;  # Configures safety checks for the key file.
   cert-file <arg: list>; # Configures safety checks for the certificate file.
   ca-file <arg: list>;   # Configures safety checks for that file.
 };

The keywords configuring file-specific tests and their corresponding defaults are as follows:

key-file
Safety checks for the SSL key file. The default is: all.
cert-file
Safety checks for the SSL certificate file. The default is: +awrfil +gwrfil +linkwrdir.
ca-file
Safety checks for the SSL certificate authority file. The default is: +awrfil +gwrfil +linkwrdir.

For example, the following configuration allows the key file to be group-readable:

tls-file-checks {
  ssl-key -grdfil;
}

The Forward File

The forward file supported by mda and lmtpd is a traditional dot-forward file controlling mail forwarding for the system user. By default, the following checks are applied to it: awrfil gwrfil linkwrdir awrdir gwrdir. Additionally, the file is required to be owned by the user it belongs to.

Note: That latter check should perhaps be configurable too, but currently there is no way to disable it.

Safety checks for the forward file are controlled by the forward.file-checks statement. For example:

forward {
  # Process forward file.
  file ".forward";
  # Configure safety checks for the forward file.
  file-checks default -gwrdir;
}

DBM Files

Checks applied to various DBM files are controlled individually for each database.

See also