[Dovecot] Permissions when running `dovecot --exec-mail imap`

Timo Sirainen tss at iki.fi
Wed Jan 23 10:03:50 EET 2013


On 22.1.2013, at 21.44, Tim Marston <tim at ed.am> wrote:

> On Tue, Jan 15, 2013 at 11:33:08PM +0000, Tim Marston wrote:
>> Would it be acceptable to setgid the dovecot executable and change it's
>> group to "mail" (i.e., `chgrp mail dovecot` and `chmod g+s dovecot`)?
>> Would this pose some kind of security risk?  Would this actualy do what
>> I want, or am I missing a bigger picture?
> 
> Just to confirm, doing the following fixed the problem for me:
> 
>  # chgrp mail /usr/bin/dovecot
>  # chmod g+s /usr/bin/dovecot
> 
> I am still able to use IMAP normally, and I am now also able to set up
> mutt with the following:

You've now basically given any user ability to run any process with mail group privileges.

> My INBOX in no longer occasionally read-only, and I no longer get the
> following error in /var/log/mail.err:
> 
>  Jan 22 08:48:59 mailhost IMAP(user): : file_dotlock_create(/var/mail/user)
>  failed: Permission denied (euid=1000(user) egid=1000(user) missing +w
>  perm: /var/mail) (set mail_privileged_group=mail)

Other possibilities:

a) Deliver mails elsewhere than /var/mail/ (under each user's home dir)

b) Don't use dotlocking: mbox_write_locks = fcntl

c) Make /var/mail/ 01777 permissions



More information about the dovecot mailing list