Topic: protecting configuration and log files
i found that many configuration file of iredmail applications is world-readable. The configuration files contains username and password of mysql and lapd so someone who has access to your server (it could be web hosting user or attacker who compromised some unpatched web applications) can compromise backend of iredmail (mysql or lapd).
I also found that iredapd log files are world readable. if logging level set to debug, it logs LDIF information of recipient that includes password hash of the user.
Here is a list of configuration files that need to be protected and what i did to fix it.
/etc/dovecot-ldap.conf
Fix:
chmod 600 /etc/dovecot-ldap.conf
/etc/httpd/conf.d/awstats.conf
Fix:
chmod 600 /etc/httpd/conf.d/awstats.conf
/etc/postfix/ldap_catch_all_maps.cf
/etc/postfix/ldap_virtual_mailbox_maps.cf
/etc/postfix/ldap_recipient_bcc_maps_user.cf
/etc/postfix/ldap_virtual_mailbox_domains.cf
/etc/postfix/ldap_recipient_bcc_maps_domain.cf
/etc/postfix/ldap_sender_bcc_maps_domain.cf
/etc/postfix/ldap_virtual_group_maps.cf
/etc/postfix/ldap_transport_maps_domain.cf
/etc/postfix/ldap_transport_maps_user.cf
/etc/postfix/ldap_sender_bcc_maps_user.cf
/etc/postfix/ldap_relay_domains.cf
/etc/postfix/ldap_sender_login_maps.cf
/etc/postfix/ldap_virtual_alias_maps.cf
Fix:
1. chgrp postfix /etc/postfix/ldap*.cf
2. chmod 640 /etc/postfix/ldap*.cf
/etc/postfix/mysql_catch_all_maps.cf
/etc/postfix/mysql_virtual_mailbox_maps.cf
/etc/postfix/mysql_recipient_bcc_maps_user.cf
/etc/postfix/mysql_virtual_mailbox_domains.cf
/etc/postfix/mysql_recipient_bcc_maps_domain.cf
/etc/postfix/mysql_sender_bcc_maps_domain.cf
/etc/postfix/mysql_virtual_group_maps.cf
/etc/postfix/mysql_transport_maps_domain.cf
/etc/postfix/mysql_transport_maps_user.cf
/etc/postfix/mysql_sender_bcc_maps_user.cf
/etc/postfix/mysql_relay_domains.cf
/etc/postfix/mysql_sender_login_maps.cf
/etc/postfix/mysql_virtual_alias_maps.cf
Fix:
1. chgrp postfix /etc/postfix/mysql*.cf
2. chmod 640 /etc/postfix/mysql*.cf
/opt/iRedAPD-x.y.z/etc/iredapd.ini
/opt/iRedAPD-x.y.z/etc/iredapd-rr.ini
Fix:
chmod 600 /opt/iRedAPD-x.y.z/etc/iredapd*ini
/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.php
Fix:
Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).
$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";
/var/www/iredadmin/settings.ini
Fix: Since iredadmin run inside apache, so it runs as apache user and we can't chmod it to 600. The solution i choose is using WSGI daemon mode to make iredadmin run as non-apache user and then we can chown and chmod settings.ini to 600 mode.
this sort 2mins video show how to do it: http://www.youtube.com/watch?v=o285XYJTGQw
/var/www/roundcubemail-x.y.z/config/main.inc.php
/var/www/roundcubemail-x.y.z/config/db.inc.php
Fix: this is similar problem with iredadmin. The solution i choose is using suPHP to make roundcubemail run as non-apache user and then chown and chmod to 600 mode. this short videos show how to do it: http://www.youtube.com/watch?v=V2dq0SMAb0k
After configuration file, here is the log files that need to be protected:
/var/log/iredapd.log
/var/log/iredapd-rr.log
To fix it, chmoding those files is not solving the problem. So i add one line:
os.umask(077)
to/opt/iredapd/src/iredapd.py and /opt/iredapd/src/iredapd-rr.py file after: "def main():" and before "# Chroot in current directory".
then i remove those log files and restart iredapd and iredapd-rr to force creation of new log file with 600 mode permission.
i know that changing source files is not recommended, but it just a quick oneliner fix.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
i will fix it later. Thanks for your remind