[Dovecot] /var/mail/<user> and mail group privileges
Hi Timo,
I'm facing problem with mail group privileges (again), because I've heard a few complains. I was looking at old emails and list archives, but still does not know the answer. In default (fedora/rhel) setup mail group and 0660 privileges are used. This means that when mail_location = mbox:~/mail:INBOX=/var/mail/%u is used, dovecot fails with first (and only first) attempt to select inbox (imap) or login (pop3).
Shouldn't mkdir and chown make together a transaction? When it fails just for first time, it confuses some admins (this is the reason why I'm getting complains (bug reports) just because missing/wrong configuration). I think it a) should work even for first connection (ignore chown failure) or b)it should not work for following connection, so the behavior should be more consistent.
Also it seems unclear what configuration option is required for making this work in new dovecot versions where configuration is split to mail_privileged_group and mail_access_groups. I see that after reading documentation in 10-mail.conf, some admins expects mail_privileged_group to be enough while mail_access_group is required to prevent fchown failure. Would it be possible to explicitly mention in the config file what option is required? I can add patch with this to our rpm, but we always prefer to be as close to the upstream as possible. Thanks
Michal
On 3.1.2011, at 19.15, Michal Hlavinka wrote:
I'm facing problem with mail group privileges (again), because I've heard a few complains. I was looking at old emails and list archives, but still does not know the answer. In default (fedora/rhel) setup mail group and 0660 privileges are used.
I still think this is the main problem. Mailboxes should be 0600. There's no reason why they should be 0660. There is very close to zero (if not zero) installations where 0660 makes any sense. It's just an extra potential security problem.
Shouldn't mkdir and chown make together a transaction? When it fails just for first time, it confuses some admins (this is the reason why I'm getting complains (bug reports) just because missing/wrong configuration). I think it a) should work even for first connection (ignore chown failure) or b)it should not work for following connection, so the behavior should be more consistent.
Sounds reasonable, yes. (Not such which one, a or b.) I should probably do something about it, but it's still about how to handle an error condition, so not a hugely important thing.
Also it seems unclear what configuration option is required for making this work in new dovecot versions where configuration is split to mail_privileged_group and mail_access_groups. I see that after reading documentation in 10-mail.conf, some admins expects mail_privileged_group to be enough while mail_access_group is required to prevent fchown failure. Would it be possible to explicitly mention in the config file what option is required? I can add patch with this to our rpm, but we always prefer to be as close to the upstream as possible. Thanks
mail_privileged_group affects only the .lock file creation, so only mail_access_groups can help here. But I don't think that should be necessary either.
On Tuesday, January 04, 2011 00:47:16 Timo Sirainen wrote:
On 3.1.2011, at 19.15, Michal Hlavinka wrote:
Shouldn't mkdir and chown make together a transaction? When it fails just for first time, it confuses some admins (this is the reason why I'm getting complains (bug reports) just because missing/wrong configuration). I think it a) should work even for first connection (ignore chown failure) or b)it should not work for following connection, so the behavior should be more consistent.
Sounds reasonable, yes. (Not such which one, a or b.) I should probably do something about it, but it's still about how to handle an error condition, so not a hugely important thing.
I think a) is better for lazy admins, but b) is more correct, because other way it's (a little bit) harder to find out this error - having wrong permissions in situations when group is really required.
On Mon, 2011-01-10 at 14:08 +0100, Michal Hlavinka wrote:
On Tuesday, January 04, 2011 00:47:16 Timo Sirainen wrote:
On 3.1.2011, at 19.15, Michal Hlavinka wrote:
Shouldn't mkdir and chown make together a transaction? When it fails just for first time, it confuses some admins (this is the reason why I'm getting complains (bug reports) just because missing/wrong configuration). I think it a) should work even for first connection (ignore chown failure) or b)it should not work for following connection, so the behavior should be more consistent.
I think a) is better for lazy admins, but b) is more correct, because other way it's (a little bit) harder to find out this error - having wrong permissions in situations when group is really required.
I implemented a) a while ago.
On Thursday 10 of February 2011 02:54:39 Timo Sirainen wrote:
On Mon, 2011-01-10 at 14:08 +0100, Michal Hlavinka wrote:
On Tuesday, January 04, 2011 00:47:16 Timo Sirainen wrote:
On 3.1.2011, at 19.15, Michal Hlavinka wrote:
Shouldn't mkdir and chown make together a transaction? When it fails just for first time, it confuses some admins (this is the reason why I'm getting complains (bug reports) just because missing/wrong configuration). I think it a) should work even for first connection (ignore chown failure) or b)it should not work for following connection, so the behavior should be more consistent.
I think a) is better for lazy admins, but b) is more correct, because other way it's (a little bit) harder to find out this error - having wrong permissions in situations when group is really required.
I implemented a) a while ago.
yes, I've noticed it. Thanks
participants (2)
-
Michal Hlavinka
-
Timo Sirainen