[Dovecot] bug when creating /var/run/dovecot?

Frank Cusack fcusack at fcusack.com
Thu Nov 19 21:25:31 EET 2009


dovecot-1.2.7

If /var/run/dovecot does not exist when dovecot starts up (e.g. required
when /var/run is a tmpfs/ramfs), it creates it.  But it creates it with
the wrong file mode -- the directory is mode 777.  Being world writable
means any user could change the name of any file within the directory,
including the login directory, and then create their own new login
directory.  Or remove the pid file, or perhaps cause other types of havoc.

Comments?

-frank


More information about the dovecot mailing list