-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Thu, 5 Nov 2009, Stewart Dean wrote:

So you say that the /var/dcindx permissions should be 1777? Not 2777? What

No, not 2777, your "/tmp" is not 2777 either, I guess.

userid/group should own the directory?

I use root:root.

In fact, because multiple uids (and gids) have to create a directory there, you have to use a tmp-like directory. "1xxx" means the sticky-bit, so users may not remove an entry owned by another user. Because root is owner of /var/dvindex, you have just those two users able to remove: root and the owning user of the subdir. The user-specific subdirectories should be 0700 or something like that, so the security is OK. DoS is possible by filling the partition completely, but this ability is available in other scenarios as well.

#2: Under both V1.1 and V1.2, the vast majority of users *can* and have created their index directories, but others can't. How can this be? This shows up as errmsgs like Nov 5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Apple M ail To Do) failed: Permission denied

All I can think of is that:

a) the existing subdirs had be created earlier e.g. by root or migration,

b) those few users use a different group.

IMHO, as soon as you have system users the /var/dcindex must be 1777, the few exceptions, when all users share a single group, or you can pre-create the directories are the special cases.

BTW: _If_ you use system users and your account name <-> uid relationship can change, you should use an template different than /var/dcindex/%u, e.g. /var/dcindex/%i, because if a new user with an name already used in past, but with another uid logs on the server, the uid cannot access the old /var/dcindex/ahinds tree. The leftover files should not make much worries, except the subscription perhaps.

Bye,

Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSvQCuXWSIuGy1ktrAQIXFQgAwtHVLIpt9Kr+QCulz0NunTdAbtamiMrb 9i2ZVG9Sb5swAYmeRKOHYAWnVIcGA8gPnKDadVuG/+6+ZjDhcapk4MTlb8NzaKNV 6Rwr9I+JYdQI/HnLzHHj+WJxn6bgr5fe21LN1WXgwtIccAbOPSj7mzUih+p0V/RX ZXpzLHgu6+BrdWdFgmnDUA1nidXCtV8/V9b1b6P4j591yeOnnXs3sJlhoucD3Pyt Pt/8toXeJJMmxdbTSJME9ov5ZxfQHg8lBxVgB04RvhSP3CN4c3ijLI93heRUub0k zeG79mS9xfHbXlxDHM4qUsxkOUgZyk7RU6q27arB5HFT3v/J/uVyFQ== =YhYT -----END PGP SIGNATURE-----