5 Feb
2010
5 Feb
'10
7:20 p.m.
If a user doesn't have a ~/mail directory and logs in, the directory is created for them. However, it is created with insecure permissions, 0770 (full group access).
The problem is this bit in src/lib-storage/index/mbox/mbox-storage.c:
#define CREATE_MODE 0770 /* umask() should limit it more */
The code then uses CREATE_MODE as an argument to mkdir_parents(), but mkdir_parents() overrides the umask setting and forces the requested permissions. There's no way to override this except to change the source code.
It looks like the same thing is in dbox-storage.c and cydir-storage.c.
This is with Dovecot 1.2.10.
Chris Adams cmadams@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.