[Bug 218392] mail/dovecot2: incompatible with security.bsd.see_other_uids and security.bsd.see_other_uids
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Apr 5 07:27:42 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218392
Bug ID: 218392
Summary: mail/dovecot2: incompatible with
security.bsd.see_other_uids and
security.bsd.see_other_uids
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: adamw at FreeBSD.org
Reporter: topical at gmx.net
Flags: maintainer-feedback?(adamw at FreeBSD.org)
Assignee: adamw at FreeBSD.org
If you harden your FreeBSD system by enabling security.bsd.see_other_uids (or
security.bsd.see_other_uids), dovecot locking gets broken leading to data loss.
Dovecot uses lock files to make sure at most one process writes to a data file.
In case the writer process has died unexpectedly and didn't remove the lock
file, the file would be locked forever. To handle this, dovecot always checks
the PID existence of the lock owner and wipes the lock if the PID doesn't
exist.
If security.bsd.see_other_uids is active, the PID existence always fails if the
process owning the lock ("A") runs with a different UID then the process that
wants to acquire the lock ("B"). The second process ("B") thus assumes that the
current owner ("A") has died, wipes the lock and writes concurrently(!) to the
data file. This means that locking doesn't work at all and data loss is
unevitable.
Later on, the original owner ("A") will generate a syslog warning that its lock
file got lost somehow, but it's too late and the data file has been broken
already leading to further problems like lost mailboxes etc.
Workaround is to disable this hardening.
As this side-effect is far from obvious, I suggest to add a clearly visible
hint to the release notes of dovecot2.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list