[Dovecot] is this a security issue?

Timo Sirainen tss at iki.fi
Mon Dec 14 00:45:10 EET 2009


On Sun, 2009-12-13 at 14:37 -0800, Tudod Ki wrote:
> if i:
> chmod 777 /var/lib/dovecot /var/lib/dovecot/control /var/lib/dovecot/index
> could that make a security hole?

It's definitely a bad idea anyway. First of all, you shouldn't really
use /var/lib/dovecot/ for users' mail data (or the index/control files).
It's mainly meant for Dovecot's internal state. Use for
example /var/lib/mails/ or something like that.

Then I guess you're making them 0777 because you're using multiple UIDs
and you want Dovecot to be able to create the directories? A bit safer
way to do that would be to set them 01777, i.e. have the +t bit enabled
similar to /tmp directory has.

Maybe even better would be if you made them 01770 and as a group use
something like "dovemail" and set mail_access_groups=dovemail. Then only
Dovecot processes would be able to access those directories. If you're
using deliver this might get more difficult though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20091213/05c1bdbf/attachment.bin 


More information about the dovecot mailing list