[Dovecot] mail_extra_groups and home directory permissions
Joe Cooper
joe at virtualmin.com
Thu Oct 26 08:34:19 UTC 2006
Joe Cooper wrote:
> Hi all,
>
> I've got a virtual hosting environment, where each user lives in
> /home/domain/homes/user, and the mailbox is Maildir within that
> directory. I've been running into a permissions problem, because it
> seems Dovecot doesn't get the users group membership (which seems odd,
> but I'm not confident enough of my comprehension of Dovecot to call say
> it looks like a bug).
>
> In short, when Dovecot hits the /home/domain directory which is owned by
> domain:domain and set to 750 permissions, it gets a permission denied,
> despite the user having the needed group membership to traverse these
> directories.
>
> So, in an effort to work around this problem, I came upon the
> mail_extra_groups option, which seems to allow me to drop dovecot into
> additional groups. If I add the domain group to this list, dovecot is
> able to traverse to the correct directory and all works exactly as I
> want it to with the domain directories being set to 750 permissions.
> Hooray!
>
> My only question, since this is not the documented purpose of this
> option, is:
>
> Is it safe to do this? Am I opening up some other kind of security
> problem by setting this option to include all domain groups?
>
> Thanks for any thoughts anyone might have on this...
I spoke too soon. There were imap processes that stuck around through
my dovecot restart--they had already chdir'ed I guess, and kept working.
When I killed those and restarted the process, everything stopped
working and the permission denied errors came back.
Back to square one. Anybody have a clue to lend me?
More information about the dovecot
mailing list