Bug#968236: davmail: Cannot restrict access to private keys for SSL

Tue, 11 Aug 2020 05:46:09 -0700 

Package: davmail
Version: 5.5.1.3299-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Davmail seems to run with systemd's DynamicUser configuration. That means 
that the user the daemon runs with is not known before runtime. Therefore
I cannot give specific permissions to the private keys for SSL. See the
excerpt from the configuration file /etc/davmail.properties below. I
use davmail.ssl.keystoreFile to set the file with the certificate and
the private key. I have to give o+r permissions to make this work,
because I cannot change the ownership to the user davmail uses.

I also suspect that the following error has to do with the same problem:

Aug 11 14:21:52 delta davmail[167802]: 2020-08-11 14:21:52,294 ERROR [main] 
davmail  - Unable to set log file path

The log file directive in /etc/davmail.properties is also printed below.
I use davmail.logFilePath to set the log path. But I cannot give the
daemon the right permissions to the /var/log path, because the user is
not known before runtime due to the DynamicUser configuration.

Is there a solution or should DynamicUser be turned off as it was before?

Best,
Christoph


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages davmail depends on:
ii  adduser                                           3.118
ii  default-jre-headless [java9-runtime-headless]     2:1.11-72
ii  init-system-helpers                               1.58
ii  jarwrapper                                        0.75
ii  libcommons-codec-java                             1.14-1
ii  libcommons-httpclient-java                        3.1-15
ii  libcommons-logging-java                           1.2-2
ii  libhtmlcleaner-java                               2.24-1
ii  libhttpclient-java                                4.5.11-1
ii  libjackrabbit-java                                2.18.0+r2.14.6-1
ii  libjcifs-java                                     1.3.19-2
ii  libjettison-java                                  1.4.0-1
ii  liblog4j1.2-java                                  1.2.17-9
ii  libmail-java                                      1.6.5-1
ii  libservlet-api-java                               4.0.1-2
ii  libslf4j-java                                     1.7.25-3
ii  libstax2-api-java                                 4.1-1
ii  libwoodstox-java                                  1:6.2.0-1
ii  logrotate                                         3.16.0-3
ii  lsb-base                                          11.1.0
ii  openjdk-11-jre-headless [java9-runtime-headless]  11.0.8+10-1

davmail recommends no packages.

Versions of packages davmail suggests:
ii  libopenjfx-java         11.0.7+0-2
pn  libswt-cairo-gtk-4-jni  <none>
pn  libswt-gtk2-4-jni       <none>

-- Configuration Files:
/etc/davmail.properties changed:
davmail.ssl.keystoreType=PKCS12
davmail.ssl.keystoreFile=/etc/ssl/ServerCA/apache.cert.subaltnames.pkcs12
davmail.logFilePath=/var/log/davmail.log

-- no debconf information

Reply via email to