.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "LEI-SECURITY 7" .TH LEI-SECURITY 7 "1993-10-02" "public-inbox.git" "public-inbox user manual" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" lei \- security information .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBlei\fR\|(1) is intended for use with both publicly-archived and \*(L"private\*(R" mail in personal mailboxes. This document is intended to give an overview of security implications and lower^Wmanage user expectations. .SH "DESCRIPTION" .IX Header "DESCRIPTION" lei expects to be run as a regular user on a Unix-like system. It expects a case-sensitive filesystem with standard Unix permissions support. .PP It does not use \s-1POSIX\s0 ACLs, extended attributes, nor any other security-related functions which require non-standard Perl modules. .PP There is preliminary support for \*(L"virtual users\*(R", but it is incomplete and undocumented. .SH "INTERNAL FILES" .IX Header "INTERNAL FILES" lei runs with a umask of 077 to prevent other users on the system from accessing each other's mail. .PP The git storage and Xapian databases are located at \&\f(CW\*(C`$XDG_DATA_HOME/lei/store\*(C'\fR (typically \f(CW\*(C`~/.local/share/lei/store\*(C'\fR). Any personal mail imported will reside here, so this should be on an encrypted filesystem or block device. .PP \&\f(CW\*(C`$XDG_RUNTIME_DIR/lei\*(C'\fR (typically \f(CW\*(C`/run/user/$UID/lei\*(C'\fR or \&\f(CW\*(C`/tmp/lei\-$UID\*(C'\fR) contain the socket used to access the lei daemon. It must only be accessible to the owner (mode 0700). .PP \&\f(CW\*(C`$XDG_CACHE_HOME/lei\*(C'\fR (typically \f(CW\*(C`~/.cache/lei\*(C'\fR) will contain \s-1IMAP\s0 and Maildir folder names which could leak sensitive information as well as git repository names. .PP \&\f(CW\*(C`$XDG_DATA_HOME/lei/saved\-searches\*(C'\fR (typically \&\f(CW\*(C`~/.local/share/lei/saved\-searches\*(C'\fR) will contain aforementioned folder names as well as (removable) search history. .PP The configuration for lei resides at \f(CW\*(C`$XDG_CONFIG_HOME/lei/config\*(C'\fR (typically \f(CW\*(C`~/.config/lei/config\*(C'\fR). It may contain sensitive pathnames and hostnames in the config if a user chooses to configure them. .PP lei itself will never write credentials to the filesystem. However, \fBgit\-credential\fR\|(1) may be configured to do so. lei will only read \f(CW\*(C`~/.netrc\*(C'\fR if \&\f(CW\*(C`\-\-netrc\*(C'\fR is used (and it will never write to \f(CW\*(C`~/.netrc\*(C'\fR). .PP \&\f(CW\*(C`$XDG_CACHE_HOME/public\-inbox\*(C'\fR (typically \f(CW\*(C`~/.cache/public\-inbox\*(C'\fR) can contain data and Inline::C\-built modules which can be shared with public-facing \fBpublic\-inbox\-daemon\fR\|(8) instances; so no private data should be in \*(L"public-inbox\*(R" paths. .SH "EXTERNAL FILES" .IX Header "EXTERNAL FILES" Locations set by \fBlei\-add\-external\fR\|(1) can be shared with public-facing \fBpublic\-inbox\-daemon\fR\|(8) processes. They may reside on shared storage and may be made world-readable to other users on the local system. .SH "CORE DUMPS" .IX Header "CORE DUMPS" In case any process crashes, a core dumps may contain passwords or contents of sensitive messages. Please report these so they can be fixed (see \*(L"\s-1CONTACT\*(R"\s0). .SH "NETWORK ACCESS" .IX Header "NETWORK ACCESS" lei currently uses the \fBcurl\fR\|(1) and \fBgit\fR\|(1) executables in \&\f(CW$PATH\fR for \s-1HTTP\s0 and \s-1HTTPS\s0 network access. Interactive authentication for \s-1HTTP\s0 and \s-1HTTPS\s0 is not-yet-supported since all currently supported \s-1HTTP/HTTPS\s0 sources are PublicInbox::WWW instances. .PP The Mail::IMAPClient library is used for \s-1IMAP\s0 and \s-1IMAPS.\s0 Net::NNTP (standard library) is used for \s-1NNTP\s0 and \s-1NNTPS.\s0 .PP Mail::IMAPClient and Net::NNTP will use IO::Socket::SSL for \s-1TLS\s0 if available. In turn, IO::Socket::SSL uses the widely-installed OpenSSL library. .PP \&\s-1STARTTLS\s0 will be attempted if advertised by the server unless \s-1IMAPS\s0 or \s-1NNTPS\s0 are used. \f(CW\*(C`\-c imap.starttls=0\*(C'\fR and \f(CW\*(C`\-c nntp.startls=0\*(C'\fR may be used to disable \s-1STARTTLS.\s0 .PP IO::Socket::Socks will be used if \f(CW\*(C`\-c imap.proxy\*(C'\fR or \&\f(CW\*(C`\-c nntp.proxy\*(C'\fR point to a \f(CW\*(C`socks5h://$HOST:$PORT\*(C'\fR address (common for Tor). .PP The \f(CW\*(C`\-\-netrc\*(C'\fR switch may be passed to curl and used for \&\s-1NNTP/IMAP\s0 access (via Net::Netrc). .SH "CREDENTIAL DATA" .IX Header "CREDENTIAL DATA" lei uses \fBgit\-credential\fR\|(1) to prompt users for \s-1IMAP\s0 and \s-1NNTP\s0 usernames and passwords. These passwords are not encrypted in memory and get transferred across processes via anonymous \s-1UNIX\s0 sockets and pipes. They may be exposed via syscall tracing tools (e.g. \fBstrace\fR\|(1)), kernel and hardware bugs/attacks. .PP While credentials are not written to the filesystem by default, it is possible for them to end up on disk if processes are swapped out. Use of an encrypted swap partition is recommended. .SH "AUTHENTICATION METHODS" .IX Header "AUTHENTICATION METHODS" \&\s-1LOGIN\s0 (username + password) is known to work over \s-1IMAP\s0(S), as does AUTH=ANONYMOUS (which is used by \fBpublic\-inbox\-imapd\fR\|(1) as part of our test suite). \s-1AUTHINFO\s0 may work for \s-1NNTP,\s0 but is untested. Testers will be needed for other authentication methods. .SH "DENIAL-OF-SERVICE VECTORS" .IX Header "DENIAL-OF-SERVICE VECTORS" lei uses the same \s-1MIME\s0 parsing library as \fBpublic\-inbox\-mda\fR\|(1) with limits header sizes, parts, nesting and boundary limits similar to those found in SpamAssassin and postfix. .PP Email address parsing is handled by Email::Address::XS if available, but may fall back to regular expressions which favor speed and predictable execution times over correctness. .SH "ENCRYPTED EMAILS" .IX Header "ENCRYPTED EMAILS" Not yet supported, but it should eventually be possible to configure decryption and indexing of encrypted messages and attachments. When supported, decrypted terms will be stored in Xapian DBs under \f(CW\*(C`$XDG_DATA_HOME/lei/store\*(C'\fR. .SH "CONTACT" .IX Header "CONTACT" Feedback welcome via plain-text mail to .PP The mail archives are hosted at and .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright all contributors .PP License: \s-1AGPL\-3.0+\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBlei\-overview\fR\|(7), \fBlei\fR\|(1)