[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Fri Nov 6 13:04:22 EET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Nov 2009, Stewart Dean wrote:

> So you say that the /var/dcindx permissions should be 1777?  Not 2777?  What

No, not 2777, your "/tmp" is not 2777 either, I guess.

> userid/group should own the directory?

I use root:root.

In fact, because multiple uids (and gids) have to create a directory
there, you have to use a tmp-like directory. "1xxx" means the sticky-bit,
so users may not remove an entry owned by another user. Because root is
owner of /var/dvindex, you have just those two users able to remove: root
and the owning user of the subdir. The user-specific subdirectories should
be 0700 or something like that, so the security is OK. DoS is possible
by filling the partition completely, but this ability is available in
other scenarios as well.

>
> #2:  Under both V1.1 and V1.2, the vast majority of users *can* and have 
> created their index directories, but others can't.  How can this be?  This 
> shows up as errmsgs like
> Nov  5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds): 
> mkdir(/var/dcindx/ahinds/.imap/Apple M
> ail To Do) failed: Permission denied

All I can think of is that:

a) the existing subdirs had be created earlier e.g. by root or migration,

b) those few users use a different group.

IMHO, as soon as you have system users the /var/dcindex must be 1777,
the few exceptions, when all users share a single group, or you can
pre-create the directories are the special cases.

BTW: _If_ you use system users and your account name <-> uid relationship
can change, you should use an template different than /var/dcindex/%u,
e.g.  /var/dcindex/%i, because if a new user with an name already used
in past, but with another uid logs on the server, the uid cannot access
the old /var/dcindex/ahinds tree. The leftover files should not make
much worries, except the subscription perhaps.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSvQCuXWSIuGy1ktrAQIXFQgAwtHVLIpt9Kr+QCulz0NunTdAbtamiMrb
9i2ZVG9Sb5swAYmeRKOHYAWnVIcGA8gPnKDadVuG/+6+ZjDhcapk4MTlb8NzaKNV
6Rwr9I+JYdQI/HnLzHHj+WJxn6bgr5fe21LN1WXgwtIccAbOPSj7mzUih+p0V/RX
ZXpzLHgu6+BrdWdFgmnDUA1nidXCtV8/V9b1b6P4j591yeOnnXs3sJlhoucD3Pyt
Pt/8toXeJJMmxdbTSJME9ov5ZxfQHg8lBxVgB04RvhSP3CN4c3ijLI93heRUub0k
zeG79mS9xfHbXlxDHM4qUsxkOUgZyk7RU6q27arB5HFT3v/J/uVyFQ==
=YhYT
-----END PGP SIGNATURE-----


More information about the dovecot mailing list