[Dovecot] maildirfolder is created world-writeable
Timo Sirainen
tss at iki.fi
Mon Jan 26 04:12:20 EET 2009
On Wed, 2009-01-21 at 20:06 +1100, Robert S wrote:
> If I create a new folder using a mail client (eg. kmail/OE), the
> maildirfolder file is created world-writable. I assume that this is a
> security risk and should be -rw-------.
Yes, it shouldn't be world-writable, fixed:
http://hg.dovecot.org/dovecot-1.1/rev/22c279ca3bb4
Anyway there isn't really much danger with how it was previously,
because:
1) The directory was created with 0700 permissions, so no-one could
write to the file.
2) Even if someone was able to write to the file, the worst that could
happen is that the owner's disk quota was reduced. The maildirfolder
file is never read by Dovecot.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090125/5a805ef8/attachment.bin
More information about the dovecot
mailing list