If someone has root they can just read the email storage files, no
password needed.
We are discussing Dovecot with encrypted mail storage here.
If someone has root, and dovecot has no code showing passwords in
logs, the attacker can build THEIR OWN version of dovecot that
"key-logs" all passwords to a remote server WITHOUT displaying
passwords in the logs.
Please compare the time needed to: get in, enable debug logging, read
the log file with: get in, enable debug logging, realize it's not
working (some will stop here), consider your options, build THEIR OWN
version of dovecot that "key-logs" all passwords to a remote server
WITHOUT displaying passwords in the logs?
This is what people mean when they say if someone has root you have
bigger problems then dovecot logging.
I generally agree but only if the mail storage is unencrypted. With
encrypted storage I can think of many scenarios: corrupt law
enforcement, malicious freelance admin, social engineering tricks etc
etc etc when attackers will have not enough time/expertise to grab your
passwords.
On 2022-10-11 18:16, dove...@ptld.com wrote:
Yeah, it's such an obvious vulnerability, I'm kinda surprised most
people here don't see an issue with that.
What people are trying to explain is the scenario you describe
requires an attacker to have root privileges on the target server. If
someone has root access to a server then your fears are moot and the
suggestion to remove code logging passwords offers zero protection.
If someone has root they can just read the email storage files, no
password needed.
If someone has root, and dovecot has no code showing passwords in
logs, the attacker can build THEIR OWN version of dovecot that
"key-logs" all passwords to a remote server WITHOUT displaying
passwords in the logs.
This is what people mean when they say if someone has root you have
bigger problems then dovecot logging.
