[Dovecot] Permissions when running `dovecot --exec-mail imap`

Tim Marston tim at ed.am
Tue Jan 22 21:44:09 EET 2013


Hi,

I got no reply about this, so I thought I'd just follow-up...

On Tue, Jan 15, 2013 at 11:33:08PM +0000, Tim Marston wrote:
> Would it be acceptable to setgid the dovecot executable and change it's
> group to "mail" (i.e., `chgrp mail dovecot` and `chmod g+s dovecot`)?
> Would this pose some kind of security risk?  Would this actualy do what
> I want, or am I missing a bigger picture?

Just to confirm, doing the following fixed the problem for me:

  # chgrp mail /usr/bin/dovecot
  # chmod g+s /usr/bin/dovecot

I am still able to use IMAP normally, and I am now also able to set up
mutt with the following:

  set tunnel="ssh -q mailhost '/usr/sbin/dovecot --exec-mail imap'"

My INBOX in no longer occasionally read-only, and I no longer get the
following error in /var/log/mail.err:

  Jan 22 08:48:59 mailhost IMAP(user): : file_dotlock_create(/var/mail/user)
  failed: Permission denied (euid=1000(user) egid=1000(user) missing +w
  perm: /var/mail) (set mail_privileged_group=mail)

I would still like confirmation from a dovecot dev that it is OK to set
up dovecot this way.  Any comments?

Kind regards,

-- 
Tim Marston
ed.am



More information about the dovecot mailing list