[Dovecot] ownership/perms on DC file objects

Stewart Dean sdean at bard.edu
Thu May 10 20:16:44 EEST 2007 

Back in late March I asked what ownership and permissions Dovecot's own 
directories and files should have; I have an obsessive nature, and 
wanted to get things right :(..  On April Fool's Day :), Timo responded:
> Dovecot opens pretty much all the configuration etc. files as root 
> before dropping the privileges. So in general they could all be 0600 
> owned by root
In my typical turtle-crawl fashion, I got around to today, but the 
onership/perms came out somewhat differently, which I put down here for 
anyone that wants to know.........

I set everything under /var/run/dovecot to 600, owned by root:dovecot
> 4242 root at mercury:/var/run/dovecot ## ls -alR                
> total 24
> drw-------   3 root     dovecot         512 Mar 06 15:27 ./
> drwxr-xr-x   3 root     system          512 Apr 18 2006  ../
> drw-------   2 root     dovecot         512 May 09 10:37 login/
> ./login:
> total 24
> drw-------   2 root     dovecot         512 May 09 10:37 ./
> drw-------   3 root     dovecot         512 Mar 06 15:27 ../
> srw-------   1 root     dovecot           0 May 09 10:37 default=
> -rw-------   1 root     dovecot         230 May 09 10:36 ssl-parameters.dat
>   
And restarted dovecot
> 4243 root at mercury:/var/run/dovecot ## dovecot
>   
but apparently /var/run/dovecot/login should be 750, but DC dealt with 
that automagically
> Warning: Corrected permissions for login directory /var/run/dovecot/login
> 4244 root at mercury:/var/run/dovecot ## ls -alR
> total 24
> drw-------   3 root     dovecot         512 Mar 06 15:27 ./
> drwxr-xr-x   3 root     system          512 Apr 18 2006  ../
> drwxr-x---   2 root     dovecot         512 May 10 12:47 login/
> ./login:
> total 24
> drwxr-x---   2 root     dovecot         512 May 10 12:47 ./
> drw-------   3 root     dovecot         512 Mar 06 15:27 ../
> srwxrwxrwx   1 root     dovecot           0 May 10 12:47 default=
> -rw-------   1 root     dovecot         230 May 09 10:36 ssl-parameters.dat
>   
...but then got in the syslog
> May 10 12:49:51 mercury mail:err|error dovecot: imap-login: Can't open SSL param
> eter file ssl-parameters.dat: Permission denied
> May 10 12:49:51 mercury mail:err|error dovecot: child 1380384 (login) returned error 89
>
>   
So I made it 640 which seems to do.
> 4246 root at mercury:/var/run/dovecot ## chmod 640 login/ssl-parameters.dat
> 4247 root at mercury:/var/run/dovecot ## ls -alR login                          
> total 24
> drwxr-x---   2 root     dovecot         512 May 10 12:47 ./
> drw-------   3 root     dovecot         512 Mar 06 15:27 ../
> srwxrwxrwx   1 root     dovecot           0 May 10 12:47 default=
> -rw-r-----   1 root     dovecot         230 May 09 10:36 ssl-parameters.dat
So it seems this will do (for others who obsess over things small)::
a) /var/run/dovecot can be 600, root:dovecot
b) /var/run/dovecot/login should be 750, root:dovecot
c) /var/run/dovecot/login/ssl-parameters.dat might be 640, root: dovecot

-- 
====
Stewart Dean, Unix System Admin, Henderson Computer Resources 
Center of Bard College, Annandale-on-Hudson, New York  12504  
sdean at bard.edu  voice: 845-758-7475, fax: 845-758-7035

More information about the dovecot mailing list