File Safety Checks
Introduction
Some files used by GNU Mailutils keep confidential information and should be accessible for a limited set of system users. Before using such files, Mailutils applies to them a series of safety checks. The file will be used only if all of the checks succeed. The number and purpose of these checks depend on the file being checked and can be configured.
Implemented Checks
For the configuration purposes, each check has a symbolic name, which can be used to request or disable it. The table below lists all file safety checks implemented so far along with their names and descriptions. The checks are listed in the order of decreasing priority, which is also the order in which they are applied.
- awrfil
- Fails if the file is world-writable (all-writable file).).
- gwrfil
- Fails if the file is group-writable (group-writable file).
- linkwrdir
- Fails if the file is a symbolic link located in a (world- or group-) writable directory (Linked file in writable directory).
- awrdir
- Fails if the file is located in a world-writable directory (all-writable directory).
- gwrdir
- Fails if the file is located in a group-writable directory (group-writable directory).
- ardfil
- Fails if the file is world-readable (all-readable file).
- grdfil
- Fails if the file is group-readable (group-readable file).
Configuration
Several configuration file keywords are provided to control safety checks applied to various files used by Mailutils. All of them take as their argument a white-space separated list of check names. Each check name, when listed, enables the corresponding check, unless preceded by a dash (-) which disables it. For symmetry, a name can be preceded by a plus sign, which does not alter its meaning. The checks specified this way alter the default safety checks for that particular file. For example, consider the following specification:
-grdfil -ardfil linkwrdir
It relaxes the default set of checks by allowing the file to be group or world-readable, and tightens it on the other hand, by forbidding linked file in a writable directory.
To facilitate configuration, the following special keywords are also provided:
- all
- Enables all the above checks.
- none
- Disables all checks.
- default
- Stands for a default check set for the file in question.
Thus, to enable only ardfil and awrfil checks one would write:
none +ardfil +awrfil
Checked Files
This section discussed files to which the security checks are applied.
SSL Files
These are SSL key, certificate and certificate authority (CA) files. They are configured using tls-file-checks block statement:
tls-file-checks {
key-file <arg: list>; # Configures safety checks for the key file.
cert-file <arg: list>; # Configures safety checks for the certificate file.
ca-file <arg: list>; # Configures safety checks for that file.
};
The keywords configuring file-specific tests and their corresponding defaults are as follows:
- key-file
- Safety checks for the SSL key file. The default is: all.
- cert-file
- Safety checks for the SSL certificate file. The default is: +awrfil +gwrfil +linkwrdir.
- ca-file
- Safety checks for the SSL certificate authority file. The default is: +awrfil +gwrfil +linkwrdir.
For example, the following configuration allows the key file to be group-readable:
tls-file-checks {
ssl-key -grdfil;
}
The Forward File
The forward file supported by mda and lmtpd is a traditional dot-forward file controlling mail forwarding for the system user. By default, the following checks are applied to it: awrfil gwrfil linkwrdir awrdir gwrdir. Additionally, the file is required to be owned by the user it belongs to.
Safety checks for the forward file are controlled by the forward.file-checks statement. For example:
forward {
# Process forward file.
file ".forward";
# Configure safety checks for the forward file.
file-checks default -gwrdir;
}
DBM Files
Checks applied to various DBM files are controlled individually for each database.