[Dovecot] maildirfolder is created world-writeable

Timo Sirainen tss at iki.fi
Mon Jan 26 04:12:20 EET 2009


On Wed, 2009-01-21 at 20:06 +1100, Robert S wrote:
> If I create a new folder using a mail client (eg. kmail/OE), the
> maildirfolder file is created world-writable.  I assume that this is a
> security risk and should be -rw-------.

Yes, it shouldn't be world-writable, fixed:
http://hg.dovecot.org/dovecot-1.1/rev/22c279ca3bb4

Anyway there isn't really much danger with how it was previously,
because:

1) The directory was created with 0700 permissions, so no-one could
write to the file.

2) Even if someone was able to write to the file, the worst that could
happen is that the owner's disk quota was reduced. The maildirfolder
file is never read by Dovecot.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090125/5a805ef8/attachment.bin 


More information about the dovecot mailing list