[Dovecot] Umask of Homedir
Hello,
I following the instrucions of: http://wiki2.dovecot.org/SharedMailboxes/Permissions
When the user receive the first mail, dovecot create the directory structure always using mode 0700, if i change the permission of the user maildir all new mails arrived get the correct umask: dovecot: lmtp(24960, *): Debug: Namespace INBOX.: Using permissions from .../maildir: mode=0770
The problem is: I need to all accounts have the permission 0770. Tried to use the option: mail_access_groups but doesn't work at all when the first creation of the user path.
"For example a simple way to set up shared mailbox access for all system users is to make all mail dirs/files 0770/0660 mode and owned by group "sharedmail" and then set mail_access_groups=sharedmail. Using more fine grained groups of course leaks less mail data in case there's a security hole in Dovecot"
Is a bug?
My dovecot version:
doveconf -n # 2.0.12 (811a6d173bb2): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.1
Access groups: mail_access_groups = _sysadms
Thanks and sorry for bad english.
On Fri, 2011-04-15 at 12:43 -0300, Francisco Wagner C. Freire wrote:
The problem is: I need to all accounts have the permission 0770. Tried to use the option: mail_access_groups but doesn't work at all when the first creation of the user path.
This setting only gives the process access to extra groups. It doesn't change any behavior.
"For example a simple way to set up shared mailbox access for all system users is to make all mail dirs/files 0770/0660 mode and owned by group "sharedmail" and then set mail_access_groups=sharedmail. Using more fine grained groups of course leaks less mail data in case there's a security hole in Dovecot"
This doesn't talk about the initial maildir creation, only what happens with existing ones..
doveconf -n
You left out a bit too much. What is your mail_location? There may be an easy solution for this.
Hi, thanks for response: This is my setup: *# 2.0.12 (811a6d173bb2): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.1 auth_cache_negative_ttl = 10 mins auth_cache_size = 10 M default_client_limit = 2048 default_process_limit = 500 dict { quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } first_valid_uid = 50 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Welcome to **mydomain* *mail_access_groups = _sysadms mail_debug = yes mail_fsync = always mail_location = maildir:%h/maildir:INDEX=%h/cache mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " quota" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mmap_disable = yes namespace { inbox = yes location = prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/conf.d/**mydomain**/passdb-master.conf driver = sql } plugin { quota = dict:User quota::proxy::quota quota_rule = *:storage=2G quota_rule2 = INBOX:messages=+50000 sieve = ~/.dovecot.sieve sieve_before = /etc/dovecot/sieve/ sieve_dir = ~/sieve } postmaster_address = account@mydomain protocols = " lmtp sieve" service auth-worker { process_limit = 1024 process_min_avail = 100 } service dict { unix_listener dict { group = _sysadms mode = 0660 } } service lmtp { inet_listener lmtp { port = 24 } process_min_avail = 100 } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /etc/dovecot/conf.d/**mydomain**/userdb.conf driver = sql } verbose_proctitle = yes protocol lmtp { mail_plugins = " quota sieve" } protocol imap { mail_plugins = " quota imap_quota" }* My group _sysadmins contain all operation users and they all need to enter and can do anything on home directories without root access, looking at the source code i applied this patch to test and all going fine: Index: dovecot-2.0.12/src/lib-storage/mailbox-list.c =================================================================== --- dovecot-2.0.12.orig/src/lib-storage/mailbox-list.c 2011-04-15 12:48:40.000000000 -0300 +++ dovecot-2.0.12/src/lib-storage/mailbox-list.c 2011-04-15 12:51:13.000000000 -0300 @@ -420,8 +420,8 @@ struct stat st; /* use safe defaults */ - *file_mode_r = 0600; - *dir_mode_r = 0700; + *file_mode_r = 0660; + *dir_mode_r = 0770; *gid_r = (gid_t)-1; *gid_origin_r = "defaults"; @@ -445,8 +445,8 @@ return; } } else { - *file_mode_r = (st.st_mode & 0666) | 0600; - *dir_mode_r = (st.st_mode & 0777) | 0700; + *file_mode_r = (st.st_mode & 0666) | 0660; + *dir_mode_r = (st.st_mode & 0777) | 0770; *gid_origin_r = path; if (!S_ISDIR(st.st_mode)) { But i think this is not the best way. maildir from database is like: */storage/a/ac/domainname/users/account/maildir* On Wed, Apr 20, 2011 at 12:35 PM, Timo Sirainen <tss@iki.fi> wrote:
On Fri, 2011-04-15 at 12:43 -0300, Francisco Wagner C. Freire wrote:
The problem is: I need to all accounts have the permission 0770. Tried to use the option: mail_access_groups but doesn't work at all when the first creation of the user path.
This setting only gives the process access to extra groups. It doesn't change any behavior.
"For example a simple way to set up shared mailbox access for all system users is to make all mail dirs/files 0770/0660 mode and owned by group "sharedmail" and then set mail_access_groups=sharedmail. Using more fine grained groups of course leaks less mail data in case there's a security hole in Dovecot"
This doesn't talk about the initial maildir creation, only what happens with existing ones..
doveconf -n
You left out a bit too much. What is your mail_location? There may be an easy solution for this.
On 20.4.2011, at 21.34, Francisco Wagner C. Freire wrote:
mail_location = maildir:%h/maildir:INDEX=%h/cache .. /storage/a/ac/domainname/users/account/maildir
What's the a/ac/ part? Is this if the domain begins with ac? Dovecot v2.0 has this "smart" logic where if you set e.g.:
mail_location = maildir:/storage/%1d/%2d/%d/users/%n/maildir:INDEX=%h/cache
Then if the domainname directory (or first of the existing parent dirs) has 02770 permissions, they are copied to the directories created under it.
The a/ac part is generated from md5 part of domainname, i want to change to hash modifier according to: http://wiki2.dovecot.org/Variables this is my next step :) because this is my new installation profile.
Using 02770 on parent, dovecot create homedir with this permission:
drwx--S--- 3 50 _sysadms 3 Apr 20 15:55 cb
A member of _sysadms group cant access: id -> uid=450010(_freire) gid=450000(_sysadms) groups=450000(_sysadms)
cd cb -su: cd: cb: Permission denied
On Wed, Apr 20, 2011 at 3:41 PM, Timo Sirainen <tss@iki.fi> wrote:
On 20.4.2011, at 21.34, Francisco Wagner C. Freire wrote:
mail_location = maildir:%h/maildir:INDEX=%h/cache .. /storage/a/ac/domainname/users/account/maildir
What's the a/ac/ part? Is this if the domain begins with ac? Dovecot v2.0 has this "smart" logic where if you set e.g.:
mail_location = maildir:/storage/%1d/%2d/%d/users/%n/maildir:INDEX=%h/cache
Then if the domainname directory (or first of the existing parent dirs) has 02770 permissions, they are copied to the directories created under it.
Changing the parent dir doesn't do anything if mail_location also isn't changed. It doesn't work with %h/maildir. (I can't really remember why I decided to do it this way.. Should document it somewhere with reasons. :)
On 20.4.2011, at 21.59, Francisco Wagner C. Freire wrote:
The a/ac part is generated from md5 part of domainname, i want to change to hash modifier according to: http://wiki2.dovecot.org/Variables this is my next step :) because this is my new installation profile.
Using 02770 on parent, dovecot create homedir with this permission:
drwx--S--- 3 50 _sysadms 3 Apr 20 15:55 cb
A member of _sysadms group cant access: id -> uid=450010(_freire) gid=450000(_sysadms) groups=450000(_sysadms)
cd cb -su: cd: cb: Permission denied
On Wed, Apr 20, 2011 at 3:41 PM, Timo Sirainen <tss@iki.fi> wrote:
On 20.4.2011, at 21.34, Francisco Wagner C. Freire wrote:
mail_location = maildir:%h/maildir:INDEX=%h/cache .. /storage/a/ac/domainname/users/account/maildir
What's the a/ac/ part? Is this if the domain begins with ac? Dovecot v2.0 has this "smart" logic where if you set e.g.:
mail_location = maildir:/storage/%1d/%2d/%d/users/%n/maildir:INDEX=%h/cache
Then if the domainname directory (or first of the existing parent dirs) has 02770 permissions, they are copied to the directories created under it.
Still the same :(
Changed the mail_location to: mail_location = maildir:/dovecot/%1d/%2d/%d/users/%n/maildir
But the homedir still using the same umask:
pwd -> /dovecot drwx------ 3 50 _sysadms 4.0K Apr 20 16:43 s
On Wed, Apr 20, 2011 at 4:20 PM, Timo Sirainen <tss@iki.fi> wrote:
Changing the parent dir doesn't do anything if mail_location also isn't changed. It doesn't work with %h/maildir. (I can't really remember why I decided to do it this way.. Should document it somewhere with reasons. :)
On 20.4.2011, at 21.59, Francisco Wagner C. Freire wrote:
The a/ac part is generated from md5 part of domainname, i want to change to hash modifier according to: http://wiki2.dovecot.org/Variables this is my next step :) because this is my new installation profile.
Using 02770 on parent, dovecot create homedir with this permission:
drwx--S--- 3 50 _sysadms 3 Apr 20 15:55 cb
A member of _sysadms group cant access: id -> uid=450010(_freire) gid=450000(_sysadms) groups=450000(_sysadms)
cd cb -su: cd: cb: Permission denied
On Wed, Apr 20, 2011 at 3:41 PM, Timo Sirainen <tss@iki.fi> wrote:
On 20.4.2011, at 21.34, Francisco Wagner C. Freire wrote:
mail_location = maildir:%h/maildir:INDEX=%h/cache .. /storage/a/ac/domainname/users/account/maildir
What's the a/ac/ part? Is this if the domain begins with ac? Dovecot v2.0 has this "smart" logic where if you set e.g.:
mail_location = maildir:/storage/%1d/%2d/%d/users/%n/maildir:INDEX=%h/cache
Then if the domainname directory (or first of the existing parent dirs) has 02770 permissions, they are copied to the directories created under it.
The parent permissions:
ls -lahd /dovecot/ drwxrwx--- 3 50 _sysadms 4.0K Apr 20 16:43 /dovecot/
On Wed, Apr 20, 2011 at 4:45 PM, Francisco Wagner C. Freire < wgrcunha@gmail.com> wrote:
Still the same :(
Changed the mail_location to: mail_location = maildir:/dovecot/%1d/%2d/%d/users/%n/maildir
But the homedir still using the same umask:
pwd -> /dovecot drwx------ 3 50 _sysadms 4.0K Apr 20 16:43 s
On Wed, Apr 20, 2011 at 4:20 PM, Timo Sirainen <tss@iki.fi> wrote:
Changing the parent dir doesn't do anything if mail_location also isn't changed. It doesn't work with %h/maildir. (I can't really remember why I decided to do it this way.. Should document it somewhere with reasons. :)
On 20.4.2011, at 21.59, Francisco Wagner C. Freire wrote:
The a/ac part is generated from md5 part of domainname, i want to change to hash modifier according to: http://wiki2.dovecot.org/Variables this is my next step :) because this is my new installation profile.
Using 02770 on parent, dovecot create homedir with this permission:
drwx--S--- 3 50 _sysadms 3 Apr 20 15:55 cb
A member of _sysadms group cant access: id -> uid=450010(_freire) gid=450000(_sysadms) groups=450000(_sysadms)
cd cb -su: cd: cb: Permission denied
On Wed, Apr 20, 2011 at 3:41 PM, Timo Sirainen <tss@iki.fi> wrote:
On 20.4.2011, at 21.34, Francisco Wagner C. Freire wrote:
mail_location = maildir:%h/maildir:INDEX=%h/cache .. /storage/a/ac/domainname/users/account/maildir
What's the a/ac/ part? Is this if the domain begins with ac? Dovecot v2.0 has this "smart" logic where if you set e.g.:
mail_location = maildir:/storage/%1d/%2d/%d/users/%n/maildir:INDEX=%h/cache
Then if the domainname directory (or first of the existing parent dirs) has 02770 permissions, they are copied to the directories created under it.
participants (2)
-
Francisco Wagner C. Freire
-
Timo Sirainen