[Dovecot] Dovecot allows creation of folders outside of a user's directory
Hi,
in our dovecot 2.0 setup with shared folders, users can make dovecot create directories outside their mail directory. Which is a bit scary imho.
The following command:
. create inbox.shared.abc123
or even
. create "inbox.shared.strange &ANY- characters"
-- even though it will fail with a "permission denied" error -- will create a directory like "/mail/users/strange &ANY- characters". That directory will only contain a subdirectory "Maildir" and therein dovecot-acl-list.
I think basically the reason for this behaviour is that Dovecot checks whether the directory has enough ACLs for the user to access it, and auto-creates the directory in the process. Is there way to avoid this auto-creation - or maybe a way to make Dovecot check whether the directory name is an existing username?
Here's a config to reproduce this:
# 2.0.19: /usr/local/dovecot/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-35-server x86_64 Ubuntu 10.04.4 LTS auth_username_format = %Ln disable_plaintext_auth = no mail_gid = vmail mail_home = /mail/users/%u mail_location = maildir:~/Maildir mail_plugins = " acl" mail_uid = vmail maildir_very_dirty_syncs = yes namespace default { inbox = yes location = prefix = INBOX. separator = . type = private } namespace sharedns { inbox = no list = children location = maildir:/mail/users/%%u/Maildir prefix = INBOX.shared.%%u. separator = . subscriptions = no type = shared } passdb { args = /usr/local/dovecot/etc/dovecot/users driver = passwd-file } plugin { acl = vfile:/usr/local/dovecot/etc/dovecot/global-acls:cache_secs=300 acl_shared_dict = file:/mail/vmail/shared-mailboxes.db } service auth { unix_listener auth-userdb { group = vmail mode = 0660 } } ssl_cert =
Content of the "users" file looks like this:
user1:{plain}(hidden):::user1:/mail/users/user1:: user2:{plain}(hidden):::user2:/mail/users/user2:: testuser:{plain}(hidden):::testuser:/mail/users/testuser::
Cheers, Christoph
-- Christoph Bußenius Rechnerbetriebsgruppe der Fakultäten Informatik und Mathematik Technische Universität München +49 89-289-18519 <> Raum 00.05.055 <> Boltzmannstr. 3 <> Garching
On 30.3.2012, at 14.37, Christoph Bußenius wrote:
in our dovecot 2.0 setup with shared folders, users can make dovecot create directories outside their mail directory. Which is a bit scary imho.
The following command:
. create inbox.shared.abc123
or even
. create "inbox.shared.strange &ANY- characters"
-- even though it will fail with a "permission denied" error -- will create a directory like "/mail/users/strange &ANY- characters". That directory will only contain a subdirectory "Maildir" and therein dovecot-acl-list.
On 04.04.2012 03:35, Timo Sirainen wrote:
On 30.3.2012, at 14.37, Christoph Bußenius wrote:
-- even though it will fail with a "permission denied" error -- will create a directory like "/mail/users/strange&ANY- characters". That directory will only contain a subdirectory "Maildir" and therein dovecot-acl-list.
Thanks, this fixed it. By the way, your tireless work on Dovecot is amazing :)
-- Christoph Bußenius Rechnerbetriebsgruppe der Fakultäten Informatik und Mathematik Technische Universität München +49 89-289-18519 <> Raum 00.05.055 <> Boltzmannstr. 3 <> Garching
participants (2)
-
Christoph Bußenius
-
Timo Sirainen