Re: Permissions of /var/mail/$USER
On Sunday 11 October 2009 23:49:22 Nicolas François wrote:
> IIRC, it was a problem for the support of shared mailboxes.
> Index files are created whose permissions mimic the mailbox' permissions.
> The 'mail' group ownership would require dovecot to be in the mail group.
For Dovecot to access files mode 0600 owned by various users it must run as
root (at least initially), in that case it can access all files.
The only reason why mode 0660 would be a problem is if Dovecot changes to the
GID and UID of the user before such access and can't be configured to use the
GID of mail instead. This seems to be a bug (or at least a missing feature)
I'm all in favor of making access control more strict, so I support mode 0600
But what you are saying about Dovecot is not a valid reason IMHO.
Also as an aside I think it's a bad idea for a program like Dovecot to create
index files in /var/mail. I believe it should be in /var/lib/dovecot or
similar. /var/mail is used by many programs and I believe that it should not
have any files other than the mboxes.