user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed
02305b9055c2898cac88d5fa6b80ca0fe94e6f9e blob 5164 bytes (raw)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
=head1 NAME

lei - security information

=head1 SYNOPSIS

L<lei(1)> is intended for use with both publicly-archived
and "private" mail in personal mailboxes.  This document is
intended to give an overview of security implications and
lower^Wmanage user expectations.

=head1 DESCRIPTION

lei expects to be run as a regular user on a Unix-like system.
It expects a case-sensitive filesystem with standard Unix
permissions support.

It does not use POSIX ACLs, extended attributes, nor any other
security-related functions which require non-standard Perl modules.

=head1 INTERNAL FILES

lei runs with a umask of 077 to prevent other users on the
system from accessing each other's mail.

The git storage and Xapian databases are located at
C<$XDG_DATA_HOME/lei/store> (typically C<~/.local/share/lei/store>).
Any personal mail imported will reside here, so this should
be on an encrypted filesystem or block device.

C<$XDG_RUNTIME_DIR/lei> (typically C</run/user/$UID/lei> or
C</tmp/lei-$UID>) contain the socket used to access the lei
daemon.  It must only be accessible to the owner (mode 0700).

C<$XDG_CACHE_HOME/lei> (typically C<~/.cache/lei>) will
contain IMAP and Maildir folder names which could leak sensitive
information as well as git repository names.

C<$XDG_DATA_HOME/lei/saved-searches> (typically
C<~/.local/share/lei/saved-searches>) will contain aforementioned
folder names as well as (removable) search history.

The configuration for lei resides at C<$XDG_CONFIG_HOME/lei/config>
(typically C<~/.config/lei/config>).  It may contain sensitive pathnames
and hostnames in the config if a user chooses to configure them.

lei itself will never write credentials to the
filesystem.  However, L<git-credential(1)> may be
configured to do so.  lei will only read C<~/.netrc> if
C<--netrc> is used (and it will never write to C<~/.netrc>).

C<$XDG_CACHE_HOME/public-inbox> (typically C<~/.cache/public-inbox>)
can contain data and L<Inline::C>-built modules which can be
shared with public-facing L<public-inbox-daemon(8)> instances;
so no private data should be in "public-inbox" paths.

=head1 EXTERNAL FILES

Locations set by L<lei-add-external(1)> can be shared with
public-facing L<public-inbox-daemon(8)> processes.  They may
reside on shared storage and may be made world-readable to
other users on the local system.

=head1 NETWORK ACCESS

lei currently uses the L<curl(1)> and L<git(1)> executables in
C<$PATH> for HTTP and HTTPS network access.  Interactive
authentication for HTTP and HTTPS is not-yet-supported since all
currently supported HTTP/HTTPS sources are L<PublicInbox::WWW>
instances.

The L<Mail::IMAPClient> library is used for IMAP and IMAPS.
L<Net::NNTP> (standard library) is used for NNTP and NNTPS.

L<Mail::IMAPClient> and L<Net::NNTP> will use L<IO::Socket::SSL>
for TLS if available.  In turn, L<IO::Socket::SSL> uses the
widely-installed OpenSSL library.

STARTTLS will be attempted if advertised by the server
unless IMAPS or NNTPS are used.  C<-c imap.starttls=0>
and C<-c nntp.startls=0> may be used to disable STARTTLS.

L<IO::Socket::Socks> will be used if C<-c imap.proxy> or
C<-c nntp.proxy> point to a C<socks5h://$HOST:$PORT>
address (common for Tor).

The C<--netrc> switch may be passed to curl and used for
NNTP/IMAP access (via L<Net::Netrc>).

=head1 CREDENTIAL DATA

lei uses L<git-credential(1)> to prompt users for IMAP and NNTP
usernames and passwords.  These passwords are not encrypted in
memory and get transferred across processes via anonymous UNIX
sockets and pipes.  They may be exposed via syscall tracing
tools (e.g. L<strace(1)>).

While credentials are not written to the filesystem by default,
it is possible for them to end up on disk if processes are
swapped out.  Use of an encrypted swap partition is recommended.

=head1 AUTHENTICATION METHODS

LOGIN (username + password) is known to work over IMAP(S),
as does AUTH=ANONYMOUS (which is used by L<public-inbox-imapd(1)>
as part of our test suite).  AUTHINFO may work for NNTP, but
is untested.  Testers will be needed for other authentication
methods.

=head1 DENIAL-OF-SERVICE VECTORS

lei uses the same MIME parsing library as L<public-inbox-mda(1)>
with limits header sizes, parts, nesting and boundary limits
similar to those found in SpamAssassin and postfix.

Email address parsing is handled by L<Email::Address::XS> if
available, but may fall back to regular expressions which favor
speed and predictable execution times over correctness.

=head1 ENCRYPTED EMAILS

Not yet supported, but it should eventually be possible to
configure decryption and indexing of encrypted messages and
attachments.  When supported, decrypted terms will be stored
in Xapian DBs under C<$XDG_DATA_HOME/lei/store>.

=head1 CONTACT

Feedback welcome via plain-text mail to L<mailto:meta@public-inbox.org>

The mail archives are hosted at L<https://public-inbox.org/meta/> and
L<http://4uok3hntl7oi7b4uf4rtfwefqeexfzil2w6kgk2jn5z2f764irre7byd.onion/meta/>

=head1 COPYRIGHT

Copyright all contributors L<mailto:meta@public-inbox.org>

License: AGPL-3.0+ L<https://www.gnu.org/licenses/agpl-3.0.txt>

=head1 SEE ALSO

L<lei-overview(7)>, L<lei(1)>
debug log:

solving 02305b9055c2 ...
found 02305b9055c2 in https://80x24.org/public-inbox.git

Code repositories for project(s) associated with this inbox:

	https://80x24.org/public-inbox.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).