[Pkg-shadow-devel] Permissions of /var/mail/$USER

Russell Coker russell at coker.com.au
Mon Oct 12 02:52:17 UTC 2009


On Sunday 11 October 2009 23:49:22 Nicolas François wrote:
> IIRC, it was a problem for the support of shared mailboxes.
> Index files are created whose permissions mimic the mailbox' permissions.
> The 'mail' group ownership would require dovecot to be in the mail group.

Why?

For Dovecot to access files mode 0600 owned by various users it must run as 
root (at least initially), in that case it can access all files.

The only reason why mode 0660 would be a problem is if Dovecot changes to the 
GID and UID of the user before such access and can't be configured to use the 
GID of mail instead.  This seems to be a bug (or at least a missing feature) 
in Dovecot.

I'm all in favor of making access control more strict, so I support mode 0600 
mail files.

But what you are saying about Dovecot is not a valid reason IMHO.

Also as an aside I think it's a bad idea for a program like Dovecot to create 
index files in /var/mail.  I believe it should be in /var/lib/dovecot or 
similar.  /var/mail is used by many programs and I believe that it should not 
have any files other than the mboxes.



More information about the Pkg-shadow-devel mailing list