[Dovecot] Umask of Homedir

Francisco Wagner C. Freire wgrcunha at gmail.com
Wed Apr 20 21:34:19 EEST 2011


Hi, thanks for response:

This is my setup:

*# 2.0.12 (811a6d173bb2): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.1
auth_cache_negative_ttl = 10 mins
auth_cache_size = 10 M
default_client_limit = 2048
default_process_limit = 500
dict {
  quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_uid = 50
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Welcome to **mydomain*
*mail_access_groups = _sysadms
mail_debug = yes
mail_fsync = always
mail_location = maildir:%h/maildir:INDEX=%h/cache
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
  inbox = yes
  location =
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /etc/dovecot/conf.d/**mydomain**/passdb-master.conf
  driver = sql
}
plugin {
  quota = dict:User quota::proxy::quota
  quota_rule = *:storage=2G
  quota_rule2 = INBOX:messages=+50000
  sieve = ~/.dovecot.sieve
  sieve_before = /etc/dovecot/sieve/
  sieve_dir = ~/sieve
}
postmaster_address = account at mydomain
protocols = " lmtp sieve"
service auth-worker {
  process_limit = 1024
  process_min_avail = 100
}
service dict {
  unix_listener dict {
    group = _sysadms
    mode = 0660
  }
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
  process_min_avail = 100
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = /etc/dovecot/conf.d/**mydomain**/userdb.conf
  driver = sql
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = " quota sieve"
}
protocol imap {
  mail_plugins = " quota imap_quota"
}*

My group _sysadmins contain all operation users and they all need to enter
and can do anything on home directories without root access, looking at the
source code i applied this patch to test and all going fine:

Index: dovecot-2.0.12/src/lib-storage/mailbox-list.c
===================================================================
--- dovecot-2.0.12.orig/src/lib-storage/mailbox-list.c    2011-04-15
12:48:40.000000000 -0300
+++ dovecot-2.0.12/src/lib-storage/mailbox-list.c    2011-04-15
12:51:13.000000000 -0300
@@ -420,8 +420,8 @@
     struct stat st;

     /* use safe defaults */
-    *file_mode_r = 0600;
-    *dir_mode_r = 0700;
+    *file_mode_r = 0660;
+    *dir_mode_r = 0770;
     *gid_r = (gid_t)-1;
     *gid_origin_r = "defaults";

@@ -445,8 +445,8 @@
             return;
         }
     } else {
-        *file_mode_r = (st.st_mode & 0666) | 0600;
-        *dir_mode_r = (st.st_mode & 0777) | 0700;
+        *file_mode_r = (st.st_mode & 0666) | 0660;
+        *dir_mode_r = (st.st_mode & 0777) | 0770;
         *gid_origin_r = path;

         if (!S_ISDIR(st.st_mode)) {


But i think this is not the best way.


maildir from database is like:

*/storage/a/ac/domainname/users/account/maildir*




On Wed, Apr 20, 2011 at 12:35 PM, Timo Sirainen <tss at iki.fi> wrote:

> On Fri, 2011-04-15 at 12:43 -0300, Francisco Wagner C. Freire wrote:
>
> > The problem is: I need to all accounts have the permission 0770. Tried to
> > use the option: mail_access_groups but doesn't work at all when the first
> > creation of the user path.
>
> This setting only gives the process access to extra groups. It doesn't
> change any behavior.
>
> > "For example a simple way to set up shared mailbox access for all system
> > users is to make all mail dirs/files 0770/0660 mode and owned by group
> > "sharedmail" and then set mail_access_groups=sharedmail. Using more fine
> > grained groups of course leaks less mail data in case there's a security
> > hole in Dovecot"
>
> This doesn't talk about the initial maildir creation, only what happens
> with existing ones..
>
> > doveconf  -n
>
> You left out a bit too much. What is your mail_location? There may be an
> easy solution for this.
>
>
>


More information about the dovecot mailing list