[Dovecot] [Dovecot-news] Security issue #5: mail_extra_groups setting is often used insecurely
Jérémie Bouttier
bouttier at spht.saclay.cea.fr
Tue Mar 4 18:31:08 EET 2008
Hi,
It seems to me that many versions of Debian (where /var/mail is
root:mail 2775) are vulnerable.
Timo Sirainen wrote :
> a) Upgrade to v1.0.11 and use the new mail_privileged_group setting
> instead of mail_extra_groups.
We tried this but now the mail.log has a number of lines :
« dovecot: IMAP(someuser): open(/var/mail/.temp.XXXX) failed: Permission
denied »
This with mail_location: mbox:~/Mail:INBOX=/var/mail/%u and no specific
settings for mbox_*_locks.
> mail_privileged_group setting works by keeping the group in process's
> saved GID while it's not in use and temporarily switching it to
> effective GID while dotlocks are created. Currently this is done only
> when:
>
> 1. It's only done for INBOX mbox which doesn't exist under the same
> location as other mailboxes (so typically under /var/mail).
>
> 2. It's used only after initial dotlock creation try failed with EACCES
> error.
This might be the explanation, but is there any way to avoid the logs to
get flooded ?
Cheers,
Jeremie
More information about the dovecot
mailing list