From: Rocco Rutte Date: Sat, 4 Apr 2009 12:28:58 +0000 (+0200) Subject: Manual: Add a short chapter summarizing security considerations X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=43483582f54c3d6c9d04842e92bb3a03644b9037;p=neomutt Manual: Add a short chapter summarizing security considerations --- diff --git a/doc/Makefile.am b/doc/Makefile.am index 65d017659..eb5687693 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -31,7 +31,7 @@ EXTRA_DIST = dotlock.man \ HTML_DOCFILES = manual.html index.html intro.html gettingstarted.html \ configuration.html mimesupport.html advancedusage.html \ - optionalfeatures.html tuning.html reference.html miscellany.html + optionalfeatures.html security.html tuning.html reference.html miscellany.html BUILT_DISTFILES = stamp-doc-xml stamp-doc-chunked manual.txt $(HTML_DOCFILES) diff --git a/doc/manual.xml.head b/doc/manual.xml.head index 61f2e8c2f..6b4f12d50 100644 --- a/doc/manual.xml.head +++ b/doc/manual.xml.head @@ -7191,6 +7191,178 @@ for the latter syntax. EXACT_ADDRESS in the output of + +Security Considerations + + +First of all, Mutt contains no security holes included by intention but +may contain unknown security holes. As a consequence, please run Mutt +only with as few permissions as possible. Especially, do not run Mutt as +the super user. + + + +When configuring Mutt, there're some points to note about secure setups +so please read this chapter carefully. + + + +Passwords + + +Although Mutt can be told the various passwords for accounts, please +never store passwords in configuration files. Besides the fact that the +system's operator can always read them, you could forget to mask it out +when reporting a bug or asking for help via a mailing list. Even worse, +your mail including your password could be archived by internet search +engines, mail-to-news gateways etc. It may already too late before you +notice your mistake. + + + + + +Temporary Files + + +Mutt uses many temporary files for viewing messages, verifying digital +signatures, etc. As long as being used, these files are visible by other +users and maybe even readable in case of misconfiguration. Also, a +different location for these files may be desired which can be changed +via the $tmpdir variable. + + + + + +Information Leaks + + +Message-ID: headers + + +Message-Id: headers contain a local part that is to be created in a +unique fashion. In order to do so, Mutt will leak some +information to the outside world when sending messages: the generation +of this header includes a step counter which is increased (and rotated) +with every message sent. In a longer running mutt session, others can +make assumptions about your mailing habbits depending on the number of +messages sent. If this is not desired, the header can be manually +provided using $edit_headers (though not +recommended). + + + + + +<literal>mailto:</literal>-style links + + +As Mutt be can be set up to be the mail client to handle +mailto: style links in websites, there're security +considerations, too. Arbitrary header fields can be embedded in these +links which could override existing header fields or attach arbitrary +files using the Attach: +psuedoheader. This may be problematic if the $edit-headers variable is +unset, i.e. the user doesn't want to see header +fields while editing the message and doesn't pay enough attention to the +compose menu's listing of attachments. + + + +For example, following a link like + + + +mailto:joe@host?Attach=~/.gnupg/secring.gpg + + +will send out the user's private gnupg keyring to +joe@host if the user doesn't follow the information +on screen carefully enough. + + + + + + + +External applications + + +Mutt in many places has to rely on external applications or for +convenience supports mechanisms involving external applications. + + + +mailcap + + +One of these is the mailcap mechanism as defined by +RfC1524. Mutt can be set up to automatically +execute any given utility as listed in one of the mailcap files (see the +$mailcap_path variable +for details.) + + + +These utilities may have a variety of security vulnerabilities, +including overwriting of arbitrary files, information leaks or other +exploitable bugs. These vulnerabilities may go unnoticed by the user, +especially when they are called automatically (and without interactive +prompting) from the mailcap file(s). When using Mutt's autoview +mechanism in combination with mailcap files, please be sure to... + + + + + +manually select trustworth applications with a reasonable calling +sequence + + + + +periodically check the contents of mailcap files, especially after +software installations or upgrades + + + + +keep the software packages referenced in the mailcap file up to date + + + + +leave the $mailcap-sanitize +variable with its default value to restrict mailcap expandos to a safe set of +characters + + + + + + + +Other + + +Besides the mailcap mechanism, Mutt uses a number of other external +utilities for operation, for example to provide crypto support, in +backtick expansion in configuration files or format string filters. The +same security considerations apply for these as for tools involved via +mailcap. + + + + + + + + + Performance tuning