Re: "key data is not secure: opendkim is in group 6", but the opendkim user is not a member of that group

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Mon, 1 Dec 2014 21:51:02 -0800 (PST)

On Sun, 30 Nov 2014, Tiemo Kieft wrote:
> I?m in the process of migrating a postfix server from CentOS to FreeBSD
> 10.1. I just installed the opendkim binary package using pkg, and copied
> my configuration files and keys from the old centos box. Both machines
> are running the same version of opendkim (2.9.2).
>
> When I try to send mail the following error is reported in maillog:
>
> Nov 29 14:21:19 mx opendkim[9848]: default._domainkey.<domain>: key data
> is not secure: opendkim is in group 6 which has multiple users (e.g.,
> "pop?)
>
> According to the message the opendkim is a member of group 6 (mail),
> which is definitely not the case:
>
> $ id opendkim
> uid=127(opendkim) gid=127(opendkim) groups=127(opendkim)
>
> The service is running as opendkim user:
>
> $ ps aux | grep opendkim
> opendkim 9848 0.0 0.8 41152 7780 - Is 2:21PM 0:00.02 /usr/local/sbin/opendkim -l -u 127 -P /var/run/milteropendkim/pid -x /var/mail/vmail/opendkim.conf
>
> When I search for this error the only result that I get is about users
> that have their keys group/world readable, which is not the case:
>
> # ls -hl
> total 32
> -rw-r----- 1 opendkim opendkim 469B Nov 29 11:55 KeyTable
> -rw-r----- 1 opendkim opendkim 1.3K Nov 29 12:22 SigningTable
> -rw-r----- 1 opendkim opendkim 369B Oct 28 11:37 TrustedHosts
> dr-x------ 4 opendkim opendkim 512B Oct 27 16:53 keys
>
> The keys directory and it?s children have the same permissions (files
> -x).
>
> The error message seems to imply that the opendkim user is in the group
> with id 6 (mail), which is not the case. However, the postfix user is in
> that group. I?m not sure what is going on here.

The safety check you're hitting attempts to determine if any user other
than root and the user running the opendkim binary could conceivably alter
the key file you're trying to use. Every directory from the root down is
checked, as is the key file itself. If any of them could be written by a
user other than those two, the error appears.

Specifically, the error is reporting that it found a directory in group 6
either containing your key or someplace above it that is group-writable,
and also found that there's some other account ("pop" in this case) that
is in group 6. That could be determined by looking for other accounts
with primary group 6 in the password file (using getpwent()), or via a
query to group 6 in the groups file (using getgrgid()).

So, in short, opendkim is alarming because if someone can hack the "pop"
user, they can also alter your DKIM keys.

If changing the permissions for the offending directory isn't possible,
you can suppress the check by setting "RequireSafeKeys" to False in your
configuration file.

-MSK
Received on Tue Dec 02 2014 - 05:51:21 PST