On Mar 4, 2008, at 10:50 AM, Benoit Branciard wrote:
Timo Sirainen a écrit :
mail_extra_groups=mail setting is often used insecurely to give
Dovecot access to create dotlocks to /var/mail directory. If you don't use mboxes in /var/mail, make sure this setting is cleared. [...] 2a) mbox: Any files/directories under mail group-writable directories can be created/deleted/renamed by symlinking the directory under ~/mail/. For example ln -s /var/mail ~/mail/var, DELETE var/root will happily delete root's mailbox. This I hadn't thought about before.Not if /var/mail is set sticky, which is the case on all good modern
Unix systems:
Right. That's why it was included in the workarounds. :)
Anyway I also thought that /var/mail would be sticky in at least some
systems. I couldn't find a single one. CentOS 5, Debian, FreeBSD 6.2,
Solaris 10 none have it sticky by default.
mail_privileged_group setting works by keeping the group in process's saved GID while it's not in use and temporarily switching it to effective GID while dotlocks are created. Currently this is done only when:
- It's only done for INBOX mbox which doesn't exist under the same location as other mailboxes (so typically under /var/mail).
- It's used only after initial dotlock creation try failed with
EACCES error.Too bad... I found mail_extra_groups to be a very handy (and secure)
way to handle Dovecot automatic index creation outside user's
directory.
I didn't remove the setting, just renamed it to mail_access_groups.