On 22.3.2010, at 11.25, Steffen Kaiser wrote:
On Fri, 19 Mar 2010, Thomas Hummel wrote:
Ok, but I still don't quite get it : if you use the same UID, doesn't this somehow equates giving something like 777 modes in the system user case ? (I mean on an OS level, problems related to such loose permission are the same and, if in 777, permissions are no longer a problem for dovecot) ?
I tried to hack some magic into Dovecot v1.2, in order to use system users with the default 0700 perms and ACLs.
My idea was to put everybody sharing folders and everybody, who may access shared folders, into the same group "doveshared", then leverage the Unix permissions, that this group may access the folders. So I do not need to use 0777 everywhere.
Yes, this is what I originally meant with "it's more difficult for system users".
In fact, I was not able to find a reliable way to get the Unix-permissions right for new mails. Maybe this was because I didn't set ".dovecot-shared" or the Unix-permission of the Maildir base directory right.
The new files copy the permissions from the mailbox's root directory (and when mailbox directory is created, its permissions are copied from maildir root). So you should basically do something like:
find /mails -type d | chgrp doveshared find /mails -type d | chmod 0770
I also got fchown() errors for shared mailboxes with write access to non-owners.
Well, this I'm not sure about.. I think fchown() is only called when new files are created. So I guess the process didn't belong to doveshared group? (mail_extra_groups=doveshared would help)
Do you use 0777 Unix perm on all Maildir's and mail folders? Is it working reliable, when mails are dropped with Deliver and APPEND, and when the MUA creates new (sub-)folders?
It should work the same as with 0770, i.e. permissions are copied the same way.