Hello Dovecot devs,
I think I found a bug in Dovecot's config handling. The semantic of e.g.
ssl_server {
cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
key_file = /etc/ssl/private/ssl-cert-snakeoil.key
}
in a config file is slightly different to
ssl_server_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_server_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
If the directives are used in the second (flat) format, they can be overridden by
doveadm (or the sieve* binaries), if the first (structured) version is used, they
cannot be overridden. Even if the flat format is used in a "local" config file to
override the default config as installed by the CE Debian package (which uses the
structured), overriding the value of ssl_server_key_file on the doveadm cmdline is
not possible.
This prevents unprivileged users to use doveadm or the sieve* binaries as they cannot
the tools will fail with an access error for the key file, even if the users knows
and uses "-o ssl_server_key_file=''" or "-o ssl_server/key_file=''".
I did not test overriding other settings in structured format, but I assume, that the
issue is also present there. That means, settings that are specified in the
structured format CANNOT be overridden with the "-o" cmdline option.
I would like to ask you, to fix this issue in one of the next releases, please!
Best regards,
P.S.: It would be nice, if doveconf would also get a "-o" option to test
overrides.
--
Patrick Cernko <[email protected]> +49 681 9325 5815
Joint Scientific IT and Technical Service
Max-Planck-Institute für Informatik & Softwaresysteme
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
