[Dovecot] Re : Permission denied
Hello Timo,
I'm using linux Fedora Core 2. The permissions are : drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/
These permissions are made buy the command chmod a+rwxt /var/spool/mail.
So if someone wants to erase the /var/spool/mail directory, it's possible unfortunately.
If there are theses permissions the user can receive his mails but it's dangerous I think. And if I modify the dovecot.conf file : mail_extra_groups = mail and if the permissions are the initial permission, and if I enter chmod +t /var/spool/mail the user can't receive his mail.
Thanks
Frederic
On Fri, 2004-07-09 at 17:20, Frédéric Sapin wrote:
If there are theses permissions the user can receive his mails but it's dangerous I think. And if I modify the dovecot.conf file : mail_extra_groups = mail and if the permissions are the initial permission, and if I enter chmod +t /var/spool/mail the user can't receive his mail.
What are the initial permissions? Does mail group have write rights? It should work then, and it did last time I tried. The +t isn't needed with mail_extra_groups=mail, but it gives some extra safety.
On Fri, 2004-07-09 at 17:20, Frédéric Sapin wrote:
If there are theses permissions the user can receive his mails but it's dangerous I think. And if I modify the dovecot.conf file : mail_extra_groups = mail and if the permissions are the initial permission, and if I enter chmod +t /var/spool/mail the user can't receive his mail.
What are the initial permissions? Does mail group have write rights? It should work then, and it did last time I tried. The +t isn't needed with mail_extra_groups=mail, but it gives some extra safety.
Initial permissions are rwxrwxr-x root mail So mail group have right permission. I have not try with rwxrwxr-t permission. I will try and I will get back to you. Excuse me for this question but what represents the t exactly ?
Thanks a lot
Frederic
On Fri, 2004-07-09 at 09:15, Frédéric Sapin wrote:
I have not try with rwxrwxr-t permission. I will try and I will get back to you. Excuse me for this question but what represents the t exactly ?
From chmod(1)
The letters `rwxXstugo' select the new permissions for the
affected users: read (r), write (w), execute (or access
for directories) (x), execute only if the file is a direc
tory or already has execute permission for some user (X),
set user or group ID on execution (s), sticky (t), the
permissions that the user who owns the file currently has
for it (u), the permissions that other users in the file's
group have for it (g), and the permissions that other
users not in the file's group have for it (o).So, you may want to look for information about sticky bits.
Regards,
-Mauricio
On Fri, 2004-07-09 at 17:20, Frédéric Sapin wrote:
I'm using linux Fedora Core 2. The permissions are : drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/
These permissions are made buy the command chmod a+rwxt /var/spool/mail.
So if someone wants to erase the /var/spool/mail directory, it's possible unfortunately.
And deleting other people's mail isn't actually possible then. That's why there's the +t sticky bit. It's the same as in /tmp directory. Users can only create files and delete their own files, but can't delete files created by others.
On Fri, 2004-07-09 at 17:20, Frédéric Sapin wrote:
I'm using linux Fedora Core 2. The permissions are : drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/
These permissions are made buy the command chmod a+rwxt /var/spool/mail.
So if someone wants to erase the /var/spool/mail directory, it's possible unfortunately.
And deleting other people's mail isn't actually possible then. That's why there's the +t sticky bit. It's the same as in /tmp directory. Users can only create files and delete their own files, but can't delete files created by others.
Ok it's working with permissions : rwxrwxr-T root mail /var/spool/mail
So like that I think it's enough security. I don't understand the line : mail_extra_groups = mail If I remove mail is it working ?
Thanks
Frederic
On Fri, 9 Jul 2004, Frédéric Sapin wrote:
I'm using linux Fedora Core 2. The permissions are : drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/
These permissions are made buy the command chmod a+rwxt /var/spool/mail.
So if someone wants to erase the /var/spool/mail directory, it's possible unfortunately.
No. User would need a writable /var/spool to delete the "mail"
directory.
See other comments about (lack of) ability to delete files within that directory.
-- Charlie
participants (4)
-
Charlie Brady
-
Frédéric Sapin
-
Mauricio Araya V.
-
Timo Sirainen