Hi,
It seems to me that many versions of Debian (where /var/mail is root:mail 2775) are vulnerable.
Timo Sirainen wrote :
a) Upgrade to v1.0.11 and use the new mail_privileged_group setting instead of mail_extra_groups.
We tried this but now the mail.log has a number of lines : « dovecot: IMAP(someuser): open(/var/mail/.temp.XXXX) failed: Permission denied »
This with mail_location: mbox:~/Mail:INBOX=/var/mail/%u and no specific settings for mbox_*_locks.
mail_privileged_group setting works by keeping the group in process's saved GID while it's not in use and temporarily switching it to effective GID while dotlocks are created. Currently this is done only when:
It's only done for INBOX mbox which doesn't exist under the same location as other mailboxes (so typically under /var/mail).
It's used only after initial dotlock creation try failed with EACCES error.
This might be the explanation, but is there any way to avoid the logs to get flooded ?
Cheers,
Jeremie