[Dovecot] Feature request for maildir style boxes

David Ford david at blue-labs.org
Tue Oct 5 22:13:20 EEST 2010


 greetings,

i'd like to ask for a certain feature request. 
dovecot:maildir_uidlist_recreate() to set the gid of new files based on
the parent directory group ownership and normally that's desired, an
appropriate security method.  on our server, we use directory
permissions to more stringently isolate access between users and
services.  we have three group ids used for this, and i'll use my name
as example.

    Oct 05 13:44:30 imap(david): Error:
fchown(/home/david/.maildir/dovecot-uidlist.tmp, -1, 497(net-mail))
failed:     Operation not permitted (egid=1234(david), group based on
/home/david/.maildir)

Colt log # ls -ld /home/ /home/david /home/david/public_html/
/home/david/.maildir /home/david/.maildir/cur|awk '{printf "%s %5s %9s
%s\n", $1,$3,$4,$9}'

    drwxr-xr-x  root      root /home/
    drwx--x--- david   net-all /home/david
    drwxr-x--- david  net-mail /home/david/.maildir
    drwx------ david     david /home/david/.maildir/cur
    drwxr-x--- david   net-web /home/david/public_html/

the purpose of this is to prevent undesired access to personal files.
users cannot 'cd' or 'ls' in other user's home directories, mail stores,
or web files.

apache, procmail, dovecot et cetera, are in the appropriate groups and
therefore have access needed to do file ops. however, they're limited to
their appropriate stores.

as mentioned at the beginning, dovecot tries to match the gid of the
parent directory for new files and normally, that's desired and expected
behavior, but in our case.  dovecot creates the file as uid/gid of the
user, so the knob can either ignore the failure to set gid per the
parent and not log it, or not attempt to set the gid per parent in the
first place.

src/lib-storage/index/maildir/maildir-uidlist.c
1412:   if (box->file_create_gid != (gid_t)-1 &&
             fchown(fd, (uid_t)-1, box->file_create_gid) < 0) {
                if (errno == EPERM) {
                        mail_storage_set_critical(box->storage, "%s",
                                eperm_error_get_chgrp("fchown", temp_path,
                                                box->file_create_gid,
                                               
box->file_create_gid_origin));
                } else {
                        mail_storage_set_critical(box->storage,
                                "fchown(%s) failed: %m", temp_path);
                }
        }


to something like: ( "new_files_inherit_parent_gid = true" )

        if (box->file_create_gid != -1  &&
-->          box->new_files_inherit_parent_gid)
        {
            fchown(fd, -1, box->file_create_gid)
            ...
        }


bool new_files_inherit_parent_gid [default true] could be added the
following for example:
    src/lib-storage/mailbox-list-private.h:struct mailbox_list
    src/lib-storage/mail-storage-private.h:struct mailbox


this block of code appears in similar instances for a number of other
occasions (and could be made a more global function), but not all files
in ~/.maildir/* appear to use a function like this.  the uidvalidity
functions are a little different for example.

==

for a busy mail server, that's a lot of excess logging and pollution
when trying to review nightly logs for issues :)

thank you for the consideration,
-david



More information about the dovecot mailing list