[Dovecot] Umask of Homedir
Hello,
I following the instrucions of: http://wiki2.dovecot.org/SharedMailboxes/Permissions
When the user receive the first mail, dovecot create the directory structure always using mode 0700, if i change the permission of the user maildir all new mails arrived get the correct umask: dovecot: lmtp(24960, *): Debug: Namespace INBOX.: Using permissions from .../maildir: mode=0770
The problem is: I need to all accounts have the permission 0770. Tried to use the option: mail_access_groups but doesn't work at all when the first creation of the user path.
"For example a simple way to set up shared mailbox access for all system users is to make all mail dirs/files 0770/0660 mode and owned by group "sharedmail" and then set mail_access_groups=sharedmail. Using more fine grained groups of course leaks less mail data in case there's a security hole in Dovecot"
Is a bug?
My dovecot version:
doveconf -n
2.0.12 (811a6d173bb2): /etc/dovecot/dovecot.conf
OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.1
Access groups: mail_access_groups = _sysadms
Thanks and sorry for bad english.
On Fri, 2011-04-15 at 12:43 -0300, Francisco Wagner C. Freire wrote:
This setting only gives the process access to extra groups. It doesn't change any behavior.
This doesn't talk about the initial maildir creation, only what happens with existing ones..
doveconf -n
You left out a bit too much. What is your mail_location? There may be an easy solution for this.
Hi, thanks for response: This is my setup: *# 2.0.12 (811a6d173bb2): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.1 auth_cache_negative_ttl = 10 mins auth_cache_size = 10 M default_client_limit = 2048 default_process_limit = 500 dict { quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } first_valid_uid = 50 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Welcome to **mydomain* *mail_access_groups = _sysadms mail_debug = yes mail_fsync = always mail_location = maildir:%h/maildir:INDEX=%h/cache mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " quota" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mmap_disable = yes namespace { inbox = yes location = prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/conf.d/**mydomain**/passdb-master.conf driver = sql } plugin { quota = dict:User quota::proxy::quota quota_rule = *:storage=2G quota_rule2 = INBOX:messages=+50000 sieve = ~/.dovecot.sieve sieve_before = /etc/dovecot/sieve/ sieve_dir = ~/sieve } postmaster_address = account@mydomain protocols = " lmtp sieve" service auth-worker { process_limit = 1024 process_min_avail = 100 } service dict { unix_listener dict { group = _sysadms mode = 0660 } } service lmtp { inet_listener lmtp { port = 24 } process_min_avail = 100 } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /etc/dovecot/conf.d/**mydomain**/userdb.conf driver = sql } verbose_proctitle = yes protocol lmtp { mail_plugins = " quota sieve" } protocol imap { mail_plugins = " quota imap_quota" }* My group _sysadmins contain all operation users and they all need to enter and can do anything on home directories without root access, looking at the source code i applied this patch to test and all going fine: Index: dovecot-2.0.12/src/lib-storage/mailbox-list.c =================================================================== --- dovecot-2.0.12.orig/src/lib-storage/mailbox-list.c 2011-04-15 12:48:40.000000000 -0300 +++ dovecot-2.0.12/src/lib-storage/mailbox-list.c 2011-04-15 12:51:13.000000000 -0300 @@ -420,8 +420,8 @@ struct stat st; /* use safe defaults */ - *file_mode_r = 0600; - *dir_mode_r = 0700; + *file_mode_r = 0660; + *dir_mode_r = 0770; *gid_r = (gid_t)-1; *gid_origin_r = "defaults"; @@ -445,8 +445,8 @@ return; } } else { - *file_mode_r = (st.st_mode & 0666) | 0600; - *dir_mode_r = (st.st_mode & 0777) | 0700; + *file_mode_r = (st.st_mode & 0666) | 0660; + *dir_mode_r = (st.st_mode & 0777) | 0770; *gid_origin_r = path; if (!S_ISDIR(st.st_mode)) { But i think this is not the best way. maildir from database is like: */storage/a/ac/domainname/users/account/maildir* On Wed, Apr 20, 2011 at 12:35 PM, Timo Sirainen <tss@iki.fi> wrote:
On 20.4.2011, at 21.34, Francisco Wagner C. Freire wrote:
What's the a/ac/ part? Is this if the domain begins with ac? Dovecot v2.0 has this "smart" logic where if you set e.g.:
mail_location = maildir:/storage/%1d/%2d/%d/users/%n/maildir:INDEX=%h/cache
Then if the domainname directory (or first of the existing parent dirs) has 02770 permissions, they are copied to the directories created under it.
The a/ac part is generated from md5 part of domainname, i want to change to hash modifier according to: http://wiki2.dovecot.org/Variables this is my next step :) because this is my new installation profile.
Using 02770 on parent, dovecot create homedir with this permission:
drwx--S--- 3 50 _sysadms 3 Apr 20 15:55 cb
A member of _sysadms group cant access: id -> uid=450010(_freire) gid=450000(_sysadms) groups=450000(_sysadms)
cd cb -su: cd: cb: Permission denied
On Wed, Apr 20, 2011 at 3:41 PM, Timo Sirainen <tss@iki.fi> wrote:
Still the same :(
Changed the mail_location to: mail_location = maildir:/dovecot/%1d/%2d/%d/users/%n/maildir
But the homedir still using the same umask:
pwd -> /dovecot drwx------ 3 50 _sysadms 4.0K Apr 20 16:43 s
On Wed, Apr 20, 2011 at 4:20 PM, Timo Sirainen <tss@iki.fi> wrote:
participants (2)
-
Francisco Wagner C. Freire
-
Timo Sirainen