[Dovecot] Permissions when running `dovecot --exec-mail imap`

[Tim Marston]

Hi,

I'm running dovecot 1.2.15, on Debian squeeze.  /var/mail is owned by
group "mail" with permissions "g+rwxs,o=".  The mail_privileged_group
setting is set to "mail".

I am trying to access mail on a remote machine with mutt by tunnelling
mutt though ssh and running `dovecot --exec-mail imap` on the mail
server.  But I frequently get errors in the mail server's logs about
not being able to create dotlock files when accessing my INBOX this
way.  This makes sense -- I'm running dovecot as a regular user, so it
isn't able to write to /var/mail as group "mail".

I notice that on the dovecot wiki[1] it is suggested that sudo is used
to set uid/gid before running `dovecot --exec-mail imap`.  But I don't
actually want to set the uid, just the gid.  And I also have sudo
disabled at the moment.  So I was wondering about another solution...

Would it be acceptable to setgid the dovecot executable and change it's
group to "mail" (i.e., `chgrp mail dovecot` and `chmod g+s dovecot`)?
Would this pose some kind of security risk?  Would this actualy do what
I want, or am I missing a bigger picture?

Kind regards,

[1] http://wiki.dovecot.org/PreAuth

-- 
Tim Marston
ed.am