[Dovecot] Permissions when running `dovecot --exec-mail imap`
Timo Sirainen
tss at iki.fi
Wed Jan 23 10:03:50 EET 2013
On 22.1.2013, at 21.44, Tim Marston <tim at ed.am> wrote:
> On Tue, Jan 15, 2013 at 11:33:08PM +0000, Tim Marston wrote:
>> Would it be acceptable to setgid the dovecot executable and change it's
>> group to "mail" (i.e., `chgrp mail dovecot` and `chmod g+s dovecot`)?
>> Would this pose some kind of security risk? Would this actualy do what
>> I want, or am I missing a bigger picture?
>
> Just to confirm, doing the following fixed the problem for me:
>
> # chgrp mail /usr/bin/dovecot
> # chmod g+s /usr/bin/dovecot
>
> I am still able to use IMAP normally, and I am now also able to set up
> mutt with the following:
You've now basically given any user ability to run any process with mail group privileges.
> My INBOX in no longer occasionally read-only, and I no longer get the
> following error in /var/log/mail.err:
>
> Jan 22 08:48:59 mailhost IMAP(user): : file_dotlock_create(/var/mail/user)
> failed: Permission denied (euid=1000(user) egid=1000(user) missing +w
> perm: /var/mail) (set mail_privileged_group=mail)
Other possibilities:
a) Deliver mails elsewhere than /var/mail/ (under each user's home dir)
b) Don't use dotlocking: mbox_write_locks = fcntl
c) Make /var/mail/ 01777 permissions
More information about the dovecot
mailing list