[Dovecot] Question re: filesystem permissions
Hi all,
I want to make sure the filesystems are correct/optimal and secure as possible.
This is a virtual hosting setup only (no system users), and dovecot is currently running in high performance mode (I'm thinking I want to change that too, so wondering if that would affect the permissions)...
/var/vmail (and everything under it) is owned by vmail:vmail.
Current permissions are:
/var/vmail 755
/var/vmail/example1.com 777
/var/vmail/example2.com 777
/var/vmail/example1.com/user1 755 (all other user home dirs are the same)
/var/vmail/example1.com/user1/Maildir 700 (all other user Maildirs and all subdirs are the same)
All files are 600, with the exception of the dovecot-uidvalidity.blahblah files, which are 444
So... is this right? Anything need to be changed?
Thanks,
--
Best regards,
Charles
- Charles Marcus <CMarcus@Media-Brokers.com> 2014.01.06 21:23:
Hi Charles,
/var/vmail/example1.com 777
$ ls -al /var/vmail/domains/leuxner.net/
drwx--S--- 4 vmail vmail 4096 Sep 8 18:22 tlx
Suffices to have rwx for the 'vmail' user only IMHO. Note the 'setgid bit (2700) inheriting the group 'vmail' across dirs.
Regards Thomas
On 2014-01-07 8:42 AM, Thomas Leuxner <tlx@leuxner.net> wrote:
Ok, thanks Thomas... but I'm really looking for what Timo says is the correct and proper permissions for a virtual setup like this.
I also really think this should be fully documented on the wiki...
--
Best regards,
Charles
- Charles Marcus <CMarcus@Media-Brokers.com> 2014.01.07 15:05:
Ok, thanks Thomas... but I'm really looking for what Timo says is the correct and proper permissions for a virtual setup like this.
I suggest you don't start posts 'Hi all' then going forward. Anyway this is the default for Dovecot quite some time, so reckon someone gave it a thought...
On 2014-01-07 9:30 AM, Thomas Leuxner <tlx@leuxner.net> wrote:
Well, that wasn't really necessary was it? This isn't my personal support line to Timo, it is a mail list.
When I said 'what Timo says', I was actually hoping this was already documented somewhere and someone else (without having to bother Timo) could point me to the wiki page where this is laid out.
I just don't want to take some $random_user's word for it, if you understand my meaning... no offense intended.
Anyway this is the default for Dovecot quite some time, so reckon someone gave it a thought...
*What* is the default. Are you saying all of the permissions I showed are correct except the ones you mentioned?
But most importantly - *where is this documented*???
--
Best regards,
Charles
On 2014-01-07 1:46 PM, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
For example...
There is this wiki page:
http://wiki2.dovecot.org/MailboxFormat/Maildir
Scroll down to 'Directory Structure' - what dovecot wants/recommends for the filesystem permissions should be addressed right there.
Then you also have:
http://wiki2.dovecot.org/SharedMailboxes/Permissions
As far as I can see, there are only two cases that need to be addressed:
a) If dovecot runs as a single UID (ie, vmail), or
b) If mail is delivered with each users UID (I guess the argument is it is more secure)
The other consideration would be working with Shared Mailboxes, but again, the filesystem permissions should only need to be set one of two ways (depending on a or b above), then dovecot should be able to properly handle everything from there.
In my opinion, this needs to be clarified quite a bit.
Postfix and Mailman both have a utility to fix the filesystem permissions for the dirs they manage. I know they are not dovecot, but the argument is the same. Even without a utility to actually be able to fix the permissions based on the mode dovecot is running in, they should at least be fully documented.
--
Best regards,
Charles
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 8 Jan 2014, Charles Marcus wrote:
When I read your message, I thought about it. But: Dovecot supports virtual and system users, there are POSIX ACLs a.s.o. There are several message storage backends. Each combination might have other "least permissions" or required ones. You can split the files across various file systems, by domain, by users, ... .
I think, one can document a "rule of thumb" for some default installations, say virtual users with Maildir with indexes and control files in the same place, ... . Maybe to document the permissions for each mail storage is a great step already.
In the end, there is just one rule: The uid/gid Dovecot runs under when accessing the files, must be able to do so. Timo did a great logging _descriptive_ messages, what permission is missing for which file. If you want to get the least permissions for your paritcular situation, you'll need to remove all permissions, perform any action your users are able to do, watch the log file, and add the missing ones.
Kind regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUs1NTV3r2wJMiz2NAQJU8ggAtUAImb7xjkCJb84194MC5n4RtDkoUl7f 5N/gMWzzG5BjiLfPzGF9geJ8X9rSuG+a3EOSud76y5Ccm9qLT1ilcsbqcFyimQLc BAJyfmvZPzuD89Fv3BYWwOpNfVd4NLlYqCYx0nqcya6CWTF05qQJuJCzzxfD08Zo u1hg2WVe+h+6PvYibq/9GA/zLIOQTU7EWbRzxVhnwe6A4GOApJSbrwfHo0crxhyE jTMAb3lgZk7vukLLJ6yjq6lCX71c/Y0Z3ZIPFgmajtYSHNqOdnjLtwcYcy08Zga7 hNYkJo4GB9zbNEDTP8icxBFcs+IFGU7vYPiew1MyDIxlXjVN41TlGg== =VHQY -----END PGP SIGNATURE-----
participants (3)
-
Charles Marcus
-
Steffen Kaiser
-
Thomas Leuxner