LEI-SECURITY(7) public-inbox user manual LEI-SECURITY(7)
NAME
lei - security information
SYNOPSIS
lei(1) is intended for use with both publicly archived and "private"
mail in personal mailboxes. This document is intended to give an
overview of security implications and lower^Wmanage user expectations.
DESCRIPTION
lei expects to be run as a regular user on a Unix-like system. It
expects a case-sensitive filesystem with standard Unix permissions
support.
It does not use POSIX ACLs, extended attributes, nor any other
security-related functions which require non-standard Perl modules.
There is preliminary support for "virtual users", but it is incomplete
and undocumented.
INTERNAL FILES
lei runs with a umask of 077 to prevent other users on the system from
accessing each other's mail.
The git storage and Xapian databases are located at
"$XDG_DATA_HOME/lei/store" (typically "~/.local/share/lei/store"). Any
personal mail imported will reside here, so this should be on an
encrypted filesystem or block device.
"$XDG_RUNTIME_DIR/lei" (typically "/run/user/$UID/lei" or
"/tmp/lei-$UID") contain the socket used to access the lei daemon. It
must only be accessible to the owner (mode 0700).
"$XDG_CACHE_HOME/lei" (typically "~/.cache/lei") will contain IMAP and
Maildir folder names which could leak sensitive information as well as
git repository names.
"$XDG_DATA_HOME/lei/saved-searches" (typically
"~/.local/share/lei/saved-searches") will contain aforementioned folder
names as well as (removable) search history.
The configuration for lei resides at "$XDG_CONFIG_HOME/lei/config"
(typically "~/.config/lei/config"). It may contain sensitive pathnames
and hostnames in the config if a user chooses to configure them.
lei itself will never write credentials to the filesystem. However,
git-credential(1) may be configured to do so. lei will only read
"~/.netrc" if "--netrc" is used (and it will never write to
"~/.netrc").
"$XDG_CACHE_HOME/public-inbox" (typically "~/.cache/public-inbox") can
contain data and Inline::C-built modules which can be shared with
public-facing public-inbox-daemon(8) instances; so no private data
should be in "public-inbox" paths.
EXTERNAL FILES
Locations set by lei-add-external(1) can be shared with public-facing
public-inbox-daemon(8) processes. They may reside on shared storage
and may be made world-readable to other users on the local system.
CORE DUMPS
In case any process crashes, a core dump may contain passwords or
contents of sensitive messages. Please report these so they can be
fixed (see "CONTACT").
NETWORK ACCESS
lei currently uses the curl(1) and git(1) executables in $PATH for HTTP
and HTTPS network access. Interactive authentication for HTTP and
HTTPS is not yet supported since all currently supported HTTP/HTTPS
sources are PublicInbox::WWW instances.
The Mail::IMAPClient library is used for IMAP and IMAPS. Net::NNTP
(standard library) is used for NNTP and NNTPS.
Mail::IMAPClient and Net::NNTP will use IO::Socket::SSL for TLS if
available. In turn, IO::Socket::SSL uses the widely installed OpenSSL
library.
STARTTLS will be attempted if advertised by the server unless IMAPS or
NNTPS are used. "-c imap.starttls=0" and "-c nntp.startls=0" may be
used to disable STARTTLS.
IO::Socket::Socks will be used if "-c imap.proxy" or "-c nntp.proxy"
point to a "socks5h://$HOST:$PORT" address (common for Tor).
The "--netrc" switch may be passed to curl and used for NNTP/IMAP
access (via Net::Netrc).
CREDENTIAL DATA
lei uses git-credential(1) to prompt users for IMAP and NNTP usernames
and passwords. These passwords are not encrypted in memory and get
transferred across processes via anonymous UNIX sockets and pipes.
They may be exposed via syscall tracing tools (e.g. strace(1)), kernel
and hardware bugs/attacks.
While credentials are not written to the filesystem by default, it is
possible for them to end up on disk if processes are swapped out. Use
of an encrypted swap partition is recommended.
AUTHENTICATION METHODS
LOGIN (username + password) is known to work over IMAP(S), as does
AUTH=ANONYMOUS (which is used by public-inbox-imapd(1) as part of our
test suite). AUTHINFO may work for NNTP, but is untested. Testers
will be needed for other authentication methods.
DENIAL-OF-SERVICE VECTORS
lei uses the same MIME parsing library as public-inbox-mda(1) with
limits header sizes, parts, nesting and boundary limits similar to
those found in SpamAssassin and postfix.
Email address parsing is handled by Email::Address::XS if available,
but may fall back to regular expressions which favor speed and
predictable execution times over correctness.
ENCRYPTED EMAILS
Not yet supported, but it should eventually be possible to configure
decryption and indexing of encrypted messages and attachments. When
supported, decrypted terms will be stored in Xapian DBs under
"$XDG_DATA_HOME/lei/store".
CONTACT
Feedback welcome via plain-text mail to <mailto:meta@public-inbox.org>
The mail archives are hosted at <https://public-inbox.org/meta/> and
<http://4uok3hntl7oi7b4uf4rtfwefqeexfzil2w6kgk2jn5z2f764irre7byd.onion/meta/>
COPYRIGHT
Copyright all contributors <mailto:meta@public-inbox.org>
License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
SEE ALSO
lei-overview(7), lei(1)
public-inbox.git 1993-10-02 LEI-SECURITY(7)