[Pkg-shadow-devel] Permissions of /var/mail/$USER

Nicolas François nicolas.francois at centraliens.net
Sun Oct 11 12:49:22 UTC 2009


Hello,

On Sun, Oct 11, 2009 at 12:45:20PM +0200, Bjørn Mork wrote:
> Nicolas François <nicolas.francois at centraliens.net> writes:
> 
> > When an user is created, useradd creates a /var/mail/$USER mailbox with
> > the mode 0660 (owned by $USER:mail).
> >
> > I heard this causes some issues for dovecot, and a solution could be to
> > move to mode 0600.
> 
> Where did you hear this?

It was a request on IRC

> Exactly what did you hear?

IIRC, it was a problem for the support of shared mailboxes.
Index files are created whose permissions mimic the mailbox' permissions.
The 'mail' group ownership would require dovecot to be in the mail group.

I assume that this could be solved internally by dovecot, but it would be
easier (and safer) to move to a 0600 policy.

> Is this documented in a bug report?
> 
> Maybe some reference(s) to the bug report(s) would make it easier for
> the rest of us to understand the issues? 
> 
> 
> > Here is an extract from the Debian policy:
> >
> >      Mailboxes are generally either mode 600 and owned by <user> or mode
> >      660 and owned by `<user>:mail'[3].  The local system administrator may
> >      choose a different permission scheme; packages should not make
> >      assumptions about the permission and ownership of mailboxes unless
> >      required (such as when creating a new mailbox). 
> 
> Anyway, doesn't this make any dovecot issue a policy violation?  Or am I
> misunderstanding the "packages should not make assumptions about the
> permission and ownership of mailboxes" part?

It would be a violation of a "should".
This "should" is also followed by "unless required", which is vague enough
to include any technical reason dovecot may have.

Best Regards,
-- 
Nekral



More information about the Pkg-shadow-devel mailing list