[Dovecot] Problem with created ~/mail directory

Chris Adams cmadams at hiwaay.net
Sun Feb 7 20:02:11 EET 2010


Once upon a time, Timo Sirainen <tss at iki.fi> said:
> On Fri, 2010-02-05 at 11:20 -0600, Chris Adams wrote:
> > If a user doesn't have a ~/mail directory and logs in, the directory is
> > created for them.  However, it is created with insecure permissions,
> > 0770 (full group access).
> > 
> > The problem is this bit in src/lib-storage/index/mbox/mbox-storage.c:
> > 
> >    #define CREATE_MODE 0770 /* umask() should limit it more */
> 
> Fixed: http://hg.dovecot.org/dovecot-1.2/rev/99caf87fb3ce
> 
> Also v2.0 handles this by copying the parent directory's permissions.

I'm not sure that copying the parent directory's permissions is the
correct thing in all cases.  Children of the home directory (e.g.
~/mail, ~/sieve) may need to be handled as a special case.

For example, I have a server that handles mail, web, and shell accounts
for a number of users.  Since it handles web for the users, they have
~/public_html, and their home directory has to have at least
world-execute for ~/public_html to be visible.  However, that doesn't
mean that ~/mail should also have world-execute.

I can create ~/mail and ~/sieve with 0700 perms, but some users (which
do dumb things all the time) will at some point delete one or both of
those directories.  Then the next time Dovecot needs one, it would copy
home directory perms, which are at a minimum 0701.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


More information about the dovecot mailing list