net-mail group is used by sendmail, procmail, dovecot, and additional programs that read/write in the users mail directory. without permissions such as below and using typical permissions, other users can cd into a users .maildir and identify all folders a user is subscribed to (personal information leakage), watch for new emails (timing attacks). the same goes for the web directories. the source of web scripts can be revealed as well as other information.
our users tend to be picky about security and privacy amongst themselves, and it's not always possible to make each daemon set their id or group id to the user or not be noisy about unexpected lack of permissions when doing file operations for the user. each service has their own idea about how file permissions should be set.
daemons not in the net-all group simply don't have access to the user's home directory regardless.
the "other way" is having dovecot not attempt to emulate the setgid bit of a directory and fchown() children in that directory, . dovecot would then simply set the uid/gid of the file as the user it's currently running as. if users want to force files created in that directory to a given gid, they could set the gid and chmod g+s on that directory.
On 10/05/2010 06:17 PM, Timo Sirainen wrote:
On 5.10.2010, at 20.13, David Ford wrote:
drwxr-x--- david net-mail /home/david/.maildir drwx------ david david /home/david/.maildir/cur Can you give me some use case for what the net-mail is used for?
to something like: ( "new_files_inherit_parent_gid = true" ) I hate settings that are going to be used only by about one installation. Maybe there's another way.