[Dovecot] Security issue #5: mail_extra_groups setting is often used insecurely

Timo Sirainen tss at iki.fi
Wed Mar 5 00:44:51 EET 2008


On Tue, 2008-03-04 at 23:41 +0100, Karsten Bräckelmann wrote:
> On Wed, 2008-03-05 at 00:29 +0200, Timo Sirainen wrote:
> 
> > > > a) Upgrade to v1.0.11 and use the new mail_privileged_group setting
> > > > instead of mail_extra_groups.
> > > 
> > > We tried this but now the mail.log has a number of lines :
> > > « dovecot: IMAP(someuser): open(/var/mail/.temp.XXXX) failed: Permission 
> > > denied »
> > 
> > Oh, this is actually harmless. You can get rid of it (and improve the
> > performance) by setting dotlock_use_excl=yes.
> > 
> > But maybe I should release v1.0.12 anyway with that error message
> > silenced..
> 
> You mean seeing that error message only is actually not an error,
> because the next locking method just works?

Right. Also fixed it now:
http://hg.dovecot.org/dovecot-1.0/rev/a9ac53bc191b

> In that case, great -- I'll go change dotlock_use_excl, revert the scary
> option (b) of chmod world-writable, and see how it works out. Not using
> NFS anyway.

dotlock_use_excl=yes works also in all modern NFS systems. I doubt
anyone is still using NFSv2. This setting is now default in v1.1.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080305/4e84e62e/attachment.bin 


More information about the dovecot mailing list