6 Feb
2010
6 Feb
'10
8:31 p.m.
On Fri, 2010-02-05 at 11:20 -0600, Chris Adams wrote:
If a user doesn't have a ~/mail directory and logs in, the directory is created for them. However, it is created with insecure permissions, 0770 (full group access).
The problem is this bit in src/lib-storage/index/mbox/mbox-storage.c:
#define CREATE_MODE 0770 /* umask() should limit it more */
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/99caf87fb3ce
Also v2.0 handles this by copying the parent directory's permissions.