File Safety Checks

From Mailutils
Jump to navigationJump to search

Introduction

Some files used by GNU Mailutils keep confidential information and should be accessible for a limited set of system users. Before using such files, Mailutils applies to them a series of safety checks. The file will be used only if all of the checks succeed. The number and purpose of these checks depend on the file being checked and can be configured.

Implemented Checks

For the configuration purposes, each check has a symbolic name, which can be used to request or disable it. The table below lists all file safety checks implemented so far along with their names and descriptions. The checks are listed in the order of decreasing priority, which is also the order in which they are applied.

awrfil
Fails if the file is world-writable (all-writable file).).
gwrfil
Fails if the file is group-writable (group-writable file).
linkwrdir
Fails if the file is a symbolic link located in a (world- or group-) writable directory (Linked file in writable directory).
awrdir
Fails if the file is located in a world-writable directory (all-writable directory).
gwrdir
Fails if the file is located in a group-writable directory (group-writable directory).
ardfil
Fails if the file is world-readable (all-readable file).
grdfil
Fails if the file is group-readable (group-readable file).

Configuration

Several configuration file keywords are provided to control safety checks applied to various files used by Mailutils. All of them take as their argument a white-space separated list of check names. Each check name, when listed, enables the corresponding check, unless preceded by a dash (-) which disables it. For symmetry, a name can be preceded by a plus sign, which does not alter its meaning. The checks specified this way alter the default safety checks for that particular file. For example, consider the following specification:

 -grdfil -ardfil linkwrdir

It relaxes the default set of checks by allowing the file to be group or world-readable, and tightens it on the other hand, by forbidding linked file in a writable directory.

To facilitate configuration, the following special keywords are also provided:

all
Enables all the above checks.
none
Disables all checks.
default
Stands for a default check set for the file in question.

Thus, to enable only ardfil and awrfil checks one would write:

 none +ardfil +awrfil

Checked Files

This section discussed files to which the security checks are applied.

SSL Files

These are SSL key, certificate and certificate authority (CA) files. They are configured using tls-file-checks block statement:

 tls-file-checks {   
   key-file <arg: list>;  # Configures safety checks for the key file.
   cert-file <arg: list>; # Configures safety checks for the certificate file.
   ca-file <arg: list>;   # Configures safety checks for that file.
 };

The keywords configuring file-specific tests and their corresponding defaults are as follows:

key-file
Safety checks for the SSL key file. The default is: all.
cert-file
Safety checks for the SSL certificate file. The default is: +awrfil +gwrfil +linkwrdir.
ca-file
Safety checks for the SSL certificate authority file. The default is: +awrfil +gwrfil +linkwrdir.

For example, the following configuration allows the key file to be group-readable:

tls-file-checks {
  ssl-key -grdfil;
}

The Forward File

The forward file supported by mda and lmtpd is a traditional dot-forward file controlling mail forwarding for the system user. By default, the following checks are applied to it: awrfil gwrfil linkwrdir awrdir gwrdir. Additionally, the file is required to be owned by the user it belongs to.

Note: That latter check should perhaps be configurable too, but currently there is no way to disable it.

Safety checks for the forward file are controlled by the forward.file-checks statement. For example:

forward {
  # Process forward file.
  file ".forward";
  # Configure safety checks for the forward file.
  file-checks default -gwrdir;
}

DBM Files

Checks applied to various DBM files are controlled individually for each database.

See also