[Dovecot] Dovecot allows creation of folders outside of a user's directory

Timo Sirainen tss at iki.fi
Wed Apr 4 04:35:13 EEST 2012


On 30.3.2012, at 14.37, Christoph Bußenius wrote:

> in our dovecot 2.0 setup with shared folders, users can make dovecot create directories outside their mail directory.  Which is a bit scary imho.
> 
> The following command:
> 
> . create inbox.shared.abc123
> 
> or even
> 
> . create "inbox.shared.strange &ANY- characters"
> 
> -- even though it will fail with a "permission denied" error -- will create a directory like "/mail/users/strange &ANY- characters".  That directory will only contain a subdirectory "Maildir" and therein dovecot-acl-list.

Fixed: http://hg.dovecot.org/dovecot-2.0/rev/b15889b82258



More information about the dovecot mailing list