[Pkg-shadow-devel] Permissions of /var/mail/$USER
nicolas.francois at centraliens.net
Sun Oct 11 09:44:45 UTC 2009
When an user is created, useradd creates a /var/mail/$USER mailbox with
the mode 0660 (owned by $USER:mail).
I heard this causes some issues for dovecot, and a solution could be to
move to mode 0600.
I would like to change shadow in that direction, with a configure option to
restore the previous behavior.
On Debian, the policy allows this, but I would like to communicate this
change in case some people know of possible breakages.
Here is an extract from the Debian policy:
Mailboxes are generally either mode 600 and owned by <user> or mode
660 and owned by `<user>:mail'. The local system administrator may
choose a different permission scheme; packages should not make
assumptions about the permission and ownership of mailboxes unless
required (such as when creating a new mailbox). A MUA may remove a
mailbox (unless it has nonstandard permissions) in which case the MTA
or another MUA must recreate it if needed.
 There are two traditional permission schemes for mail spools: mode 600
with all mail delivery done by processes running as the destination
user, or mode 660 and owned by group mail with mail delivery done by a
process running as a system user in group mail. Historically, Debian
required mode 660 mail spools to enable the latter model, but that
model has become increasingly uncommon and the principle of least
privilege indicates that mail systems that use the first model should
use permissions of 600. If delivery to programs is permitted, it's
easier to keep the mail system secure if the delivery agent runs as
the destination user. Debian Policy therefore permits either scheme.
Other distributions could use the configure option, but let me know if this
would also break anything.
Thanks in advance,
More information about the Pkg-shadow-devel