Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect sensitive information from read #4

Closed
claudex opened this issue Feb 25, 2014 · 7 comments

Comments

Projects
None yet
3 participants
@claudex
Copy link

commented Feb 25, 2014

There is only one attribute to set the mode for the configuration files but there is two kinds of file. Most of them should be world readable (to have tools like doveadm pw or /usr/lib/dovecot/deliver working) but those with sensitive information like dovecot-sql.conf.ext and dovecot-dict-sql.conf.ext should not be world readable.

@zuazo

This comment has been minimized.

Copy link
Owner

commented Mar 3, 2014

Thanks for the report. Do you think that allowing different modes for .conf and .ext file types will be enough? Or do you think you we should be able to change the mode for each file individually?

@claudex

This comment has been minimized.

Copy link
Author

commented Mar 3, 2014

Thanks for your answer ;) I was thinking of a ['dovecot']['conf_files']['sensitive'] attribute that contains the sensitive files with a mode setted by ['dovecot']['sensitive_files_mode']. But your solution is much simpler. Be carefull that this will only works for files in /etc/dovecot/, the .ext files in /etc/dovecot/conf.d/ need to have the same mode than the other .conf.

I don't think that each file should have a different mode.

@zuazo zuazo closed this in ec0736b Mar 8, 2014

@zuazo

This comment has been minimized.

Copy link
Owner

commented Mar 8, 2014

Thanks. After some consideration, I preferred your solution over mine 😄

Committed in ec0736b. I'm going to release this in a few days after some testing.

@claudex

This comment has been minimized.

Copy link
Author

commented Mar 8, 2014

Ok, I'll test this commit on Monday on my test infrastructure. Thanks for the fix.

@zuazo

This comment has been minimized.

Copy link
Owner

commented Mar 13, 2014

Thanks for your help. Released in version 0.3.0.

@iiro

This comment has been minimized.

Copy link

commented Apr 12, 2015

Hi,

and first of all - excellent work! :)

Did you get this setting to play nice with PostfixAdmin too? PFA needs to read some of these files if I remember correctly...

I would definitely love to use file mode 640 for stuff - but then PFA stops working (it's running on it's own username).

@zuazo

This comment has been minimized.

Copy link
Owner

commented Apr 14, 2015

Sorry, @iiro, I have not tried it. But I'll let you know if I ever get it to work.

zuazo pushed a commit that referenced this issue Apr 6, 2016

zuazo pushed a commit that referenced this issue Aug 31, 2018

Merge pull request #4 from ledgr/fix/chef_14
Comply to Foodcritic and Rubocop requirements
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.