[Dovecot] Umask of Homedir
Francisco Wagner C. Freire
wgrcunha at gmail.com
Wed Apr 20 21:34:19 EEST 2011
Hi, thanks for response:
This is my setup:
*# 2.0.12 (811a6d173bb2): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.1
auth_cache_negative_ttl = 10 mins
auth_cache_size = 10 M
default_client_limit = 2048
default_process_limit = 500
dict {
quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_uid = 50
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Welcome to **mydomain*
*mail_access_groups = _sysadms
mail_debug = yes
mail_fsync = always
mail_location = maildir:%h/maildir:INDEX=%h/cache
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
inbox = yes
location =
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/conf.d/**mydomain**/passdb-master.conf
driver = sql
}
plugin {
quota = dict:User quota::proxy::quota
quota_rule = *:storage=2G
quota_rule2 = INBOX:messages=+50000
sieve = ~/.dovecot.sieve
sieve_before = /etc/dovecot/sieve/
sieve_dir = ~/sieve
}
postmaster_address = account at mydomain
protocols = " lmtp sieve"
service auth-worker {
process_limit = 1024
process_min_avail = 100
}
service dict {
unix_listener dict {
group = _sysadms
mode = 0660
}
}
service lmtp {
inet_listener lmtp {
port = 24
}
process_min_avail = 100
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
args = /etc/dovecot/conf.d/**mydomain**/userdb.conf
driver = sql
}
verbose_proctitle = yes
protocol lmtp {
mail_plugins = " quota sieve"
}
protocol imap {
mail_plugins = " quota imap_quota"
}*
My group _sysadmins contain all operation users and they all need to enter
and can do anything on home directories without root access, looking at the
source code i applied this patch to test and all going fine:
Index: dovecot-2.0.12/src/lib-storage/mailbox-list.c
===================================================================
--- dovecot-2.0.12.orig/src/lib-storage/mailbox-list.c 2011-04-15
12:48:40.000000000 -0300
+++ dovecot-2.0.12/src/lib-storage/mailbox-list.c 2011-04-15
12:51:13.000000000 -0300
@@ -420,8 +420,8 @@
struct stat st;
/* use safe defaults */
- *file_mode_r = 0600;
- *dir_mode_r = 0700;
+ *file_mode_r = 0660;
+ *dir_mode_r = 0770;
*gid_r = (gid_t)-1;
*gid_origin_r = "defaults";
@@ -445,8 +445,8 @@
return;
}
} else {
- *file_mode_r = (st.st_mode & 0666) | 0600;
- *dir_mode_r = (st.st_mode & 0777) | 0700;
+ *file_mode_r = (st.st_mode & 0666) | 0660;
+ *dir_mode_r = (st.st_mode & 0777) | 0770;
*gid_origin_r = path;
if (!S_ISDIR(st.st_mode)) {
But i think this is not the best way.
maildir from database is like:
*/storage/a/ac/domainname/users/account/maildir*
On Wed, Apr 20, 2011 at 12:35 PM, Timo Sirainen <tss at iki.fi> wrote:
> On Fri, 2011-04-15 at 12:43 -0300, Francisco Wagner C. Freire wrote:
>
> > The problem is: I need to all accounts have the permission 0770. Tried to
> > use the option: mail_access_groups but doesn't work at all when the first
> > creation of the user path.
>
> This setting only gives the process access to extra groups. It doesn't
> change any behavior.
>
> > "For example a simple way to set up shared mailbox access for all system
> > users is to make all mail dirs/files 0770/0660 mode and owned by group
> > "sharedmail" and then set mail_access_groups=sharedmail. Using more fine
> > grained groups of course leaks less mail data in case there's a security
> > hole in Dovecot"
>
> This doesn't talk about the initial maildir creation, only what happens
> with existing ones..
>
> > doveconf -n
>
> You left out a bit too much. What is your mail_location? There may be an
> easy solution for this.
>
>
>
More information about the dovecot
mailing list