Need help in securing maildir so that root user should not able to read anyother user's mail
Hi friends,
My company is currently using Exchange Servers for Mail Server solutions but now they want to move to Linux Servers due to heavy cost involved with the Exchange Users.We will be using the latest version of Centos.
So the kind of solution we are looking is below:
a) Postfix or Sendmail as MTA. b) Dovecot or Cyrus Imap with Quota as Pop & Imap server. c) Security of Maildir means even root user should not be able to read any user's mail. d) Global Address Book on Ldap or any other. e) Using samba/ldap for client authentication.
Most concerned part here is part c as we don't want any user to be able to read any other user's mail including root.
Regards
Ankush
ankush grover wrote:
c) Security of Maildir means even root user should not be able to read any user's mail.
You can do that with SElinux... you would have to limit filesystem access AND user access so that root just not su to a user and access it from there.
But someone who have physical access to the server will be able to get access. Administrative routines need access too, for stuff like backup and restore.
So for c) I would limit what I can and then have audit routines to map usage.
Morten Torstensen wrote:
ankush grover wrote:
c) Security of Maildir means even root user should not be able to read any user's mail.
You can do that with SElinux... you would have to limit filesystem access AND user access so that root just not su to a user and access it from there.
But someone who have physical access to the server will be able to get access. Administrative routines need access too, for stuff like backup and restore.
So for c) I would limit what I can and then have audit routines to map usage.
and limit root so he can't disable selinux?
ummmmmm. right.
and, as Morten points out, backup needs access to maildir (and of course, anyone with physical access to the backup media will have access to the mail on them too)
Only thing I can think of... setup the administrators 'normal' accounts to have specific SUDO's for _all_ 'normal' administrative activities, and put the real root password on a slip of paper in a sealed envelope in the key escrow safe that requires 3 people's combinations to open. and hope nothing goes wrong.
John R Pierce wrote:
Morten Torstensen wrote:
ankush grover wrote:
c) Security of Maildir means even root user should not be able to read any user's mail.
You can do that with SElinux... you would have to limit filesystem access AND user access so that root just not su to a user and access it from there.
But someone who have physical access to the server will be able to get access. Administrative routines need access too, for stuff like backup and restore.
So for c) I would limit what I can and then have audit routines to map usage.
and limit root so he can't disable selinux?
ummmmmm. right.
and, as Morten points out, backup needs access to maildir (and of course, anyone with physical access to the backup media will have access to the mail on them too)
Only thing I can think of... setup the administrators 'normal' accounts to have specific SUDO's for _all_ 'normal' administrative activities, and put the real root password on a slip of paper in a sealed envelope in the key escrow safe that requires 3 people's combinations to open. and hope nothing goes wrong.
Isn't all this just a little bit like expecting the doctor to address one's hemorrhoids without dropping one's skivvies? "Lord, deliver me from idiots in high places. Amen".
Clearly, if management can't trust the Admin, then both have a problem.
Robert wrote:
Isn't all this just a little bit like expecting the doctor to address one's hemorrhoids without dropping one's skivvies? "Lord, deliver me from idiots in high places. Amen".
Yea, but I don't think the managers really asked for root not being able to read mail. They maybe wanted to make sure root could not read mails through imap/pop. Or maybe something else...
Maybe some Exchange brochure contains some blurb that says "Only allow users to read mails"... what do I know.
But even if you can take steps to block out root, he is God on the system any way you turn it.
Limit what you can, do what is sensible, and create an audit trail.
c) Security of Maildir means even root user should not be able to read any user's mail.
Most concerned part here is part c as we don't want any user to be able to read any other user's mail including root.
What is the point of having an administrator that you cannot trust?
How are you going to recover mails say in case a user leaves or is otherwise incapable of digging out the mails for the company?
Do you lock the Exchange administrator out of all users mail too?
Feizhou wrote:
c) Security of Maildir means even root user should not be able to read any user's mail.
Most concerned part here is part c as we don't want any user to be able to read any other user's mail including root.
What is the point of having an administrator that you cannot trust?
How are you going to recover mails say in case a user leaves or is otherwise incapable of digging out the mails for the company?
Do you lock the Exchange administrator out of all users mail too?
Fred's forgotten his password. What now?
On Sun, Mar 18, 2007 at 12:57:21PM +0530, ankush grover wrote:
c) Security of Maildir means even root user should not be able to read any user's mail.
I think the real answer here is "be more careful who has root access".
ankush grover wrote:
Hi friends,
My company is currently using Exchange Servers for Mail Server solutions but now they want to move to Linux Servers due to heavy cost involved with the Exchange Users.We will be using the latest version of Centos.
So the kind of solution we are looking is below:
a) Postfix or Sendmail as MTA. b) Dovecot or Cyrus Imap with Quota as Pop & Imap server. c) Security of Maildir means even root user should not be able to read any user's mail.
How could you back it up?
d) Global Address Book on Ldap or any other. e) Using samba/ldap for client authentication.
You can authenticate against AD.
In principal you could use standard LDAP tools to extract the info and insert it into openldap, but I don't know about passwords, and probably you will want to keep AD anyway.
Most concerned part here is part c as we don't want any user to be able to read any other user's mail including root.
Root must be able to "become" the imap server, otherwise you couldn't start it. Being able to do that, even if root couldn't read it directly, it would be possible by "su cyrus"
Is this less secure than Windows? Give me the right to boot a CD of my choice and five minutes and we'll see.
Am Montag, den 19.03.2007, 05:40 +0900 schrieb John Summerfield:
You can authenticate against AD.
In principal you could use standard LDAP tools to extract the info and insert it into openldap, but I don't know about passwords, and probably you will want to keep AD anyway.
AD is more or less LDAP + Kerberos 5 you can always use nss_winbindd or nss_ldap (which requires MSSFU schema extensions in the AD) + pam_krb5 or even a kerberized mailserver to do authentication. In fact you can even forget the nss-stuff if you use a mailserver that doesn't require users to have a system account (e.g. cyrus-imapd)
You *cannot* forbid root to do anything. And if you could you woudln't want to do it. The only way I could think of is enctypting the mailstore with the users password, but if a user forgets his password you're lost.
kind regards, Andreas Rogge
On Sun, 2007-03-18 at 22:09 +0100, Andreas Rogge wrote:
Am Montag, den 19.03.2007, 05:40 +0900 schrieb John Summerfield:
You can authenticate against AD.
In principal you could use standard LDAP tools to extract the info and insert it into openldap, but I don't know about passwords, and probably you will want to keep AD anyway.
AD is more or less LDAP + Kerberos 5 you can always use nss_winbindd or nss_ldap (which requires MSSFU schema extensions in the AD) + pam_krb5 or even a kerberized mailserver to do authentication. In fact you can even forget the nss-stuff if you use a mailserver that doesn't require users to have a system account (e.g. cyrus-imapd)
You *cannot* forbid root to do anything. And if you could you woudln't want to do it. The only way I could think of is enctypting the mailstore with the users password, but if a user forgets his password you're lost.
This is what some commercial e-mail systems do ... though the mail server it self has access to the key and so it's possible. For a resourceful administrators to read the mail anyways.
Even if you could keep root from accessing the files unencrypted, if you are authenticating against OpenLDAP it would be possible for the administrator to save off the current password, change it to something they know, read the mail and then set it back.
I can think of a work-around to root reading the mail unless it arrives at the server PGP encrypted with a private key and decrypted at the client. So the only way you could pull it off is to configure clients to only send messages PGP encrypted internally, a bit of work.
Regards, Paul Berger
Subject: Re: [CentOS] Need help in securing maildir so that root usershould not able to read anyother user's mail
I can only think of one mechanism that might work in the correct environment. Put the mail server on it's own machine which does nothing else but server the mail. Get everything running, disallow NFS mounts, and scramble the root password so effectively there is no root account. Now root can not access other peoples mailboxes because there is no root.
When you have to do system maintenance, you will have to boot from CD, fix the root account, reboot and do the maintenance. The sysadmin will do the maintenance from a checklist while a large Marine guard with and M16 follows along. When done, scramble the root password.
This would only work in a physically secure environment. The idea being that there has to be several people watching while root does any work.
There are secure ways of setting up Linux where there is no real root.
Bob Styma
When you have to do system maintenance, you will have to boot from CD, fix the root account, reboot and do the maintenance. The sysadmin will do the maintenance from a checklist while a large Marine guard with and M16 follows along. When done, scramble the root password.
Boot from CD?!?! Linux single is all you need.
A large Marine guard? Man, this must be a joke post right? Where is the smiley? Bring along a clueless Marine armed with a M16?
Subject: Re: [CentOS] Need help in securing maildir so that root usershouldnot able to read anyother user's mail
When you have to do system maintenance, you will have to boot from CD, fix the root account, reboot and do the maintenance. The sysadmin will do the maintenance from a checklist while a large Marine guard with and M16 follows along. When done, scramble the root password.
Boot from CD?!?! Linux single is all you need.
A large Marine guard? Man, this must be a joke post right? Where is the smiley? Bring along a clueless Marine armed with a M16?
True, there was humor mixed in with the suggestion. The Marine part comes from tales some friends of mine told who worked with nuclear weapons while they were in the service. Whenever maintenance was being applied, two soldiers with M16's were watching them and had copies of the checklist. The idea was to avoid any funny business.
Assuming you do now wish to used a secure "rootless" system, disabling root except when doing system maintenance and having someone observing the system admin is a way to get the job done. You cannot just go to single user mode because going to single user normally requires you to enter the root password. With the root account disabled or having a scrambled password, you will not be able to do this. Thus the suggestion of using the boot CD.
Of course if access to the machine is not secure, you have to talk about encrypting the contents with passwords only the users have.
Bob Styma
On Tuesday 20 March 2007 06:45 am, Styma, Robert E (Robert) wrote:
You cannot just go to single user mode because going to single user normally requires you to enter the root password.
I can't test now; I don't have a local CentOS system, but I don't remember ever needing a password to get into single mode on any Linux system. Am I right, or is my brain falling apart?
Of course if access to the machine is not secure, you have to talk about encrypting the contents with passwords only the users have.
I can't speak for the OP but our machines are secure; to get to them you need my my access card, my lock combination, and my hand <smile>. But if the machines aren't physically secure it's quite easy to get into them without a password.
Jeff
On Tuesday 20 March 2007 06:45 am, Styma, Robert E (Robert) wrote:
You cannot just go to single user mode because going to single user normally requires you to enter the root password.
I can't test now; I don't have a local CentOS system, but I don't remember ever needing a password to get into single mode on any Linux system. Am I right, or is my brain falling apart?
I could be confused. I jump back and forth between Linux, Solaris, and HP/UX.
Of course if access to the machine is not secure, you have to talk about encrypting the contents with passwords only the users have.
I can't speak for the OP but our machines are secure; to get to them you need my my access card, my lock combination, and my hand <smile>. But if the machines aren't physically secure it's quite easy to get into them without a password.
That is an important consideration. One of the basic assumptions on Unix systems (other than the rootless ones) is that the person with root access is to be trusted. When you change that assumption, you have to fall back to other mechanism to secure whatever it is you need to secure. If you are just trying to stop a bored sysadmin, there ae things that can be done. If you are trying to stop the NSA or CIA, you have your work cut out for you.
Requiring several people to be present tends to keep people honest.
On Tue, Mar 20, 2007 at 12:44:05PM -0500, Styma, Robert E (Robert) wrote:
You cannot just go to single user mode because going to single user normally requires you to enter the root password.
I can't test now; I don't have a local CentOS system, but I don't remember ever needing a password to get into single mode on any Linux system. Am I right, or is my brain falling apart?
I could be confused. I jump back and forth between Linux, Solaris, and HP/UX.
Default is no password, but you *should* set a grub password.
Matthew Miller wrote:
On Tue, Mar 20, 2007 at 12:44:05PM -0500, Styma, Robert E (Robert) wrote:
You cannot just go to single user mode because going to single user normally requires you to enter the root password.
I can't test now; I don't have a local CentOS system, but I don't remember ever needing a password to get into single mode on any Linux system. Am I right, or is my brain falling apart?
I could be confused. I jump back and forth between Linux, Solaris, and HP/UX.
Default is no password, but you *should* set a grub password.
Which means that someone has to go to all the bother of booting an install CD in rescue mode to get access without the password. Or if you set a bios password, you have to pull the drive and move to a different box - or use the motherboard jumper to clear the bios settings. If you don't have physical security you don't get much from the extra password layers.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Matthew Miller Sent: Tuesday, March 20, 2007 10:52 AM To: CentOS mailing list Subject: Re: [CentOS] Need help in securing maildir so thatrootusershouldnot able to read anyother user's mail
On Tue, Mar 20, 2007 at 12:44:05PM -0500, Styma, Robert E (Robert)
wrote:
You cannot just go to single user mode because going to single user normally requires you to enter the root password.
I can't test now; I don't have a local CentOS system, but I don't remember ever needing a password to get into single mode on any
Linux
system. Am I right, or is my brain falling apart?
I could be confused. I jump back and forth between Linux, Solaris, and HP/UX.
Default is no password, but you *should* set a grub password.
In general, you have to be root already to issue an init or telinit command.
-
Andreas Rogge -
ankush grover -
Feizhou -
Jeff Lasman -
John R Pierce -
John Summerfield -
Les Mikesell -
Mark Hull-Richter -
Matthew Miller -
Morten Torstensen -
Paul -
Robert -
Styma, Robert E (Robert)