On 10/05/2010 06:44 PM, Timo Sirainen wrote:
On 5.10.2010, at 23.38, David Ford wrote:
net-mail group is used by sendmail, procmail, dovecot, and additional programs that read/write in the users mail directory. Can you give some specific examples?
i did. sendmail accesses .forward or aliasing files, procmail does delivery, dovecot does read/write for imap, pine reads and writes and webmail cgi reads and writes or uses imap.
drwxr-x--- david net-mail /home/david/.maildir drwx------ david david /home/david/.maildir/cur Does new/ and tmp/ directories then have netmail-rx so mails can be delivered? What about non-INBOX mailboxes? Or what exactly is the point of not just making .maildir/ 0700? Or if new/ dir is g+rw, is it important that cur/ directory isn't?
new/ and tmp/ are set to david:david 0700 as cur/ is, as well as all non-INBOX. .maildir cannot be 0700 because programs that don't run as the same userid but only as the group id cannot then access the .maildir directory. it's not important that they have access to files below the top level mail store. procmail issues an error when writing in tmp/ as well.
~/.maildir/ is not setgid because i don't want files forced to the net-mail group. dovecot is taking it upon itself to do so anyway. that's nice and all, but not desired and the directory permissions aren't set for this policy. to be technical, it's unexpected. i want my email files to be set to david:david, not david:other-group. dovecot should not assume that the gid should be set differently from my user's gid.
the group permissions are set for read/exec in this directory for this group, the minimum needed for all the daemons to play nicely with each other, and with the user.