Re: Roundcube
On 9/7/2023 17:00:51, joe a wrote: Any known issues with installing/running roundcube and dovecot on the same server? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org Placing roundcube on its own server was one consideration, security breach being one concern. Interesting to see such differing opinions. joe a. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
El 8/9/23 a les 11:59, Marc ha escrit: Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root. I was responding to jeremy ardley considering root access gained. Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation This link is crap, did you even read a few items on this page? Put then a link to the apache httpd root access. Fact still remains that nobody here on this list has eternal life nor eternal resources, so you would be stupid to focus on your webserver root access exploit instead of roundcube. Next to that, it is more common these days to use containers so there is not even a webserver that runs root. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org If roundcube/dovecot is in discussion, we can't assume the rest of environment i secure and well-configured: Webserver, Kernel, DB server, etc. Then we need to work on good measures to not rely on "everything will be optimal because everybody did a good job". And we can't assume Rouncube is perfect, same as Dovecot. Give time to time. -- __ I'm using this express-made address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > Since when does a hacked website gain root? What argument is next, when > your > > storage solution is hacked they have access to your files? Are you not > working > > with linux? How frequent are exploits that give you a root. > > I was responding to jeremy ardley considering root access gained. > > Apart from this privilege escalation is a real threat: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation > This link is crap, did you even read a few items on this page? Put then a link to the apache httpd root access. Fact still remains that nobody here on this list has eternal life nor eternal resources, so you would be stupid to focus on your webserver root access exploit instead of roundcube. Next to that, it is more common these days to use containers so there is not even a webserver that runs root. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > A web search on 'linux web server exploits that gain root' will give > many examples. No, not. And you better get your info for this type of stuff from cve websites or apache vulnerability list. > Security design by first principle assumes that an attacker will gain > root access. I would not know. Logical deduction of the topic question 'when roundcube gets hacked' does not include all this. The OP is correct with his question. The risk of having an undetected exploit in roundcube code is probably >1x than something with the webserver software. > Best practise is to limit the damage that can cause. The usual way to > limit it is put all public facing systems in a DMZ and have a very > carefully controlled access from them to an internal priavte network. > The access control is performed by systems that cannot be controlled by > a breached public facing server. e.g. router firewalls,. > How does stating something so obvious but irrelevant contribute? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 2023-09-08, Marc wrote: > Since when does a hacked website gain root? What argument is next, when your > storage solution is hacked they have access to your files? Are you not working > with linux? How frequent are exploits that give you a root. I was responding to jeremy ardley considering root access gained. Apart from this privilege escalation is a real threat: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=privilege+escalation ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 8/9/23 16:24, Marc wrote: Since when does a hacked website gain root? A web search on 'linux web server exploits that gain root' will give many examples. Security design by first principle assumes that an attacker will gain root access. Best practise is to limit the damage that can cause. The usual way to limit it is put all public facing systems in a DMZ and have a very carefully controlled access from them to an internal priavte network. The access control is performed by systems that cannot be controlled by a breached public facing server. e.g. router firewalls,. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > There is a generic issue with doing this. That is if you have roundcube > (or any other web mail interface) on the same server as dovecot, a > breach of the web interface could be quite serious and allow access to > the complete mail store. No this is crap. user/group is are preventing this. The only risk you have when roundcube is hacked is that any user logging after this hack, his mailbox can be accessed (grabbed userid/passwd). So users not even using this roundcube have no problem at all. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Roundcube
> > On 2023-09-08, jeremy ardley via dovecot wrote: > > > The scenario you describe does not consider a breach of the web mail > service > > that allows root access to the file system. > > > > If the web service is compromised to that extent then the mail file store > is > > also compromised. > > > > If the mail file store is on a different device then an exploit has to > not > > only breach the web service on the interface device, it then has to > breach the > > remote store. This will be extremely difficult compared to simply > breaching a > > web server and locally exploiting it. > > > > When the dovecot server is on a remote system and correct firewalls are > in > > place, then the attacker has to breach the imap protocols as well > > But if root access is gained on the web server, root access is also > gained on roundcube. And mails, the important thing to protect, can be > freely read/deleted. At this point root access on the dovecot server > does not matter. > Since when does a hacked website gain root? What argument is next, when your storage solution is hacked they have access to your files? Are you not working with linux? How frequent are exploits that give you a root. You can even run the webserver without root, because you only need binding the low port linux capability. So if your webserver process does not even run root, how can it gain it? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
El 8/9/23 a les 10:07, Michel Verdier ha escrit: On 2023-09-08, jeremy ardley via dovecot wrote: The scenario you describe does not consider a breach of the web mail service that allows root access to the file system. If the web service is compromised to that extent then the mail file store is also compromised. If the mail file store is on a different device then an exploit has to not only breach the web service on the interface device, it then has to breach the remote store. This will be extremely difficult compared to simply breaching a web server and locally exploiting it. When the dovecot server is on a remote system and correct firewalls are in place, then the attacker has to breach the imap protocols as well But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter. In a webmail-only container, the only information attacker can reach gaining root permissions is what Roundcube stores: - Logged-in account preferences (identifying used usernames) - Data cache MDA/IMAP server stores full mailboxes data, nor full accounts directory. IMAP-only users are not compromised because of a remote webmail breach. Another reason to separate software can be maintenance organisation: - Separate administrators - Update/upgrade OS as needed by one service but not the other -- Narcis Garcia __ I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Roundcube
On 2023-09-08, jeremy ardley via dovecot wrote: > The scenario you describe does not consider a breach of the web mail service > that allows root access to the file system. > > If the web service is compromised to that extent then the mail file store is > also compromised. > > If the mail file store is on a different device then an exploit has to not > only breach the web service on the interface device, it then has to breach the > remote store. This will be extremely difficult compared to simply breaching a > web server and locally exploiting it. > > When the dovecot server is on a remote system and correct firewalls are in > place, then the attacker has to breach the imap protocols as well But if root access is gained on the web server, root access is also gained on roundcube. And mails, the important thing to protect, can be freely read/deleted. At this point root access on the dovecot server does not matter. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org