Bug#371087: cyrus21-imapd: Fatal error: tls_init() failed if
user cyrus is not in ssl-cert group
Benjamin Seidenberg
astronut at dlgeek.net
Thu Jun 8 14:45:38 UTC 2006
Sven Mueller wrote:
> Henrique de Moraes Holschuh wrote on 07/06/2006 21:29:
>
>> On Wed, 07 Jun 2006, Diego Fdez. Durán wrote:
>>
>>
>>> So I think that the cyrus-imapd instalallation scripts need to add the
>>> cyrus user to the ssl-cert group. (I don't know if the installer already
>>> add cyrus to group ssl-cert, sorry).
>>>
>> THIS would be a very bad idea. Cyrus should be reading sensitive data as
>> root, and not asking people to give the cyrus user any access to private
>> data. I don't think we get this right in Cyrus yet, though.
>>
>
> It's almost impossible to get that right, if I understand the mechanisms
> in cyrus correctly. The problem is that the only process started with
> root rights is cyrmaster. However, cyrmaster doesn't handle the content
> _or_ encryption of the connections itself, it leaves that to its
> children (imapd, pop3d etc.), which only get started as user cyrus.
>
I don't like the program reading/writing stuff as root. I'd like to be
able to customize myself what it does - by controlling it's groups and
permissions.
>
>> I am dead set *against* adding the cyrus user to the ssl-cert group. Other
>> solutions, including changing documentation, default paths, etc are welcome,
>> of course.
>>
>
> I'm with you in restricting cyrus to what it needs to do. However, I
> don't see a better solution here than adding the cyrus user to the
> ssl-cert group. Most setups will want to use the same SSL key&cert for
> Cyrus and any other SSL-enabled service (postfix, exim, apache, just to
> name a few). That's exactly what the ssl-cert group is for - IIUIC.
>
>
Ack. By default, don't do it, make it clear that it's what should be
done to use the SSL feature. I don't see how adding a group is any
different than generating a cert or something - it's part of the users
setup.
Documentation.
"Note! If you want cyrus to use the system wide SSL certifiates, you
will need to add cyrus to the ssl-cert group. This is not done by default."
It's much easier to let the user do it, IFF they need to.
(BTW, I think that's our main delta w/ ubuntu - they add to the ssl-cert
group in 2.2).
> Any better solution is welcome.
>
> Regards,
> Sven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-imapd-debian-devel/attachments/20060608/ba4ae799/signature.pgp
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list