[Pkg-shadow-devel] Permissions of /var/mail/$USER

Timo Sirainen tss at iki.fi
Tue Oct 13 14:17:02 UTC 2009


(Sorry about messing up threading, but I'm not subscribed and wasn't
Cc'd)

> > IIRC, it was a problem for the support of shared mailboxes.
> > Index files are created whose permissions mimic the mailbox' permissions.
> > The 'mail' group ownership would require dovecot to be in the mail group.
> 
> Why?
> 
> For Dovecot to access files mode 0600 owned by various users it must run as 
> root (at least initially), in that case it can access all files.
> 
> The only reason why mode 0660 would be a problem is if Dovecot changes to the 
> GID and UID of the user before such access and can't be configured to use the 
> GID of mail instead.  This seems to be a bug (or at least a missing feature) 
> in Dovecot.

Dovecot can be configured to use mail group, but doing so just adds more
risks. I could also change the code so that it doesn't try to preserve
group for /var/mail/* files, but that could prevent some real cases when
it's wanted to be done.

> Also as an aside I think it's a bad idea for a program like Dovecot to create 
> index files in /var/mail.  I believe it should be in /var/lib/dovecot or 
> similar.  /var/mail is used by many programs and I believe that it should not 
> have any files other than the mboxes.

The index files aren't created to /var/mail. The only issue is that it
tries to change the created index files' group to mail, which fails and
then it logs an error. It actually still continues, so the only issue is
those periodic error messages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20091013/aacd7965/attachment.pgp>


More information about the Pkg-shadow-devel mailing list