File Safety Checks

From Mailutils
Revision as of 11:59, 18 October 2011 by Gray (talk | contribs)
Jump to navigationJump to search

Introduction

Some files used by GNU Mailutils keep confidential information and should be accessible for a limited set of system users. Before using such files, Mailutils applies to them a series of safety checks. The file will be used only if all of the checks succeed. The number and purpose of these checks depend on the file being checked and can be configured.

Implemented Checks

For the configuration purposes, each check has a symbolic name, which can be used to request or disable it. The table below lists all file safety checks implemented so far along with their names and descriptions. The checks are listed in the order of decreasing priority, which is also the order in which they are applied.

awrfil
Fails if the file is world-writable (all-writable file).).
gwrfil
Fails if the file is group-writable (group-writable file).
linkwrdir
Fails if the file is a symbolic link located in a (world- or group-) writable directory (Linked file in writable directory).
awrdir
Fails if the file is located in a world-writable directory (all-writable directory).
gwrdir
Fails if the file is located in a group-writable directory (group-writable directory).
ardfil
Fails if the file is world-readable (all-readable file).
grdfil
Fails if the file is group-readable (group-readable file).

Configuration

Several configuration file keywords are provided to control safety checks applied to various files used by Mailutils. All of them take as their argument a white-space separated list of check names. Each check name, when listed, enables the corresponding check, unless preceded by a dash (-) which disables it. For symmetry, a name can be preceded by a plus sign, which does not alter its meaning. The checks specified this way alter the default safety checks for that particular file. For example, consider the following specification:

 -grdfil -ardfil linkwrdir

It relaxes the default set of checks by allowing the file to be group or world-readable, and tightens it on the other hand, by forbidding linked file in a writable directory.

To facilitate configuration, the following special keywords are also provided:

all
Enables all the above checks.
none
Disables all checks.
default
Stands for a default check set for the file in question.

Thus, to enable only ardfil and awrfil checks one would write:

 none +ardfil +awrfil

Checked Files

This section discussed files to which the security checks are applied.

SSL Files

These are SSL key, certificate and certificate authority (CA) files. They are configured using tls block statement:

 tls {   
   enable <arg: boolean>;               # Enable client TLS encryption.  
   ssl-key <file: string>;              # Sets the key file.
   key-file-safety-checks <arg: list>;  # Configures safety checks for the key file.
   ssl-cert <file: string>;             # Sets the certificate file.
   cert-file-safety-checks <arg: list>; # Configures safety checks for the certificate file.
   ssl-cafile <file: string>;           # Sets the certificate authority file. 
   ca-file-safety-checks <arg: list>;   # Configures safety checks for that file.
 };

The keywords configuring file-specific tests and their corresponding defaults are as follows:

key-file-safety-checks
Safety checks for the SSL key file. The default is: all.
cert-file-safety-checks
Safety checks for the SSL certificate file. The default is: +awrfil +gwrfil +linkwrdir.
ca-file-safety-checks
Safety checks for the SSL certificate authority file. The default is: +awrfil +gwrfil +linkwrdir.

For example, the following configuration allows the key file to be group-readable:

tls {
  ssl-key "/etc/mailutils/ssl/server.key";
  key-file-safety-checks -grdfil;
}

The Forward File

The forward file supported by Maidag is a traditional dot-forward file controlling mail forwarding for the system user. By default, the following checks are applied to it: awrfil gwrfil linkwrdir awrdir gwrdir. Additionally, the file is required to be owned by the user it belongs to.

Note: That latter check should perhaps be configurable too, but currently there is no way to disable it.

Safety checks for the forward file are controlled by the forward-file-checks statement. For example:

forward-file-checks default -gwrdir;