Security-concerns: world-readable configuration-files containing database-credentials

[tomcrus001]

Impacted versions

• Distribution: Ubuntu (but propably any others too)
• Codename: 18.04
• Arch: 64 Bits
• Database: MySQL

Steps to reproduce

normal Installation using modoboa-install's run.py

Full trace using --debug option or current behaviour

Expected behavior

following files containing database-credentials mustn't be world-readable

• /etc/postfix/sql*.cf
• /etc/dovecot/dovecot-sql-master.conf.ext
• /usr/local/bin/postlogin.sh
• /etc/opendkim.conf
• /srv/modoboa/instance/instance/settings.py
• maybe some others I have not yet discovered

After having done a fresh installation using modoboa-install:

tomcrus@vserver:/etc/dovecot$ ls -l /srv/modoboa/instance/instance/settings.py 
-rw-rw-r-- 1 modoboa modoboa 9467 Nov  1 02:34 /srv/modoboa/instance/instance/settings.py

admin@vserver:/etc/dovecot$ ls -l /etc/postfix/sql*.cf
-rw-r--r-- 1 root root  440 Nov  1 02:39 /etc/postfix/sql-aliases.cf
-rw-r--r-- 1 root root  400 Nov  1 02:39 /etc/postfix/sql-domain-aliases.cf
-rw-r--r-- 1 root root  319 Nov  1 02:39 /etc/postfix/sql-domains.cf
-rw-r--r-- 1 root root  492 Nov  1 02:39 /etc/postfix/sql-maintain.cf
-rw-r--r-- 1 root root  308 Nov  1 02:39 /etc/postfix/sql-relay-recipient-verification.cf
-rw-r--r-- 1 root root  324 Nov  1 02:39 /etc/postfix/sql-relaydomains.cf
-rw-r--r-- 1 root root 1198 Nov  1 02:39 /etc/postfix/sql-sender-login-map.cf
-rw-r--r-- 1 root root  516 Nov  1 02:39 /etc/postfix/sql-spliteddomains-transport.cf
-rw-r--r-- 1 root root  323 Nov  1 02:39 /etc/postfix/sql-transport.cf

admin@vserver:/etc/dovecot$ ls -l /etc/dovecot/dovecot-sql-master.conf.ext 
-rw-r--r-- 1 root root 5615 Nov  1 02:41 /etc/dovecot/dovecot-sql-master.conf.ext

admin@vserver:/etc/dovecot$ ls -l /usr/local/bin/postlogin.sh 
-rwxr-xr-x 1 root root 260 Nov  1 02:41 /usr/local/bin/postlogin.sh

admin@vserver:/etc/dovecot$ ls -l /etc/opendkim.conf
-rw-r--r-- 1 root root 3304 Nov  1 02:39 /etc/opendkim.conf

[tomcrus001]

Note for the file /usr/local/bin/postlogin.sh: this was already mentioned some time ago: postlogin.sh script is public read and should not be

Also note about this script file's usage of mysql-command: Annoing warning in error log with mysql DB

[tomcrus001]

Note also, that most probably it doesn't suffice to just remove all those world-readable permission as this will lead to some service stop working due to miss configuration

[tonioo]

@tomcrus001 I think we can modify permissions of most files and remove the read flag for group and other categories. The settings.py file is a special case since management commands are not always run by the root user. I guess we can remove the read flag for others but leave it for group but it requires to check if every involved user is in the modoboa group.