Hello Timo, I'm using linux Fedora Core 2. The permissions are : drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/ These permissions are made buy the command chmod a+rwxt /var/spool/mail. So if someone wants to erase the /var/spool/mail directory, it's possible unfortunately. If there are theses permissions the user can receive his mails but it's dangerous I think. And if I modify the dovecot.conf file : mail_extra_groups = mail and if the permissions are the initial permission, and if I enter chmod +t /var/spool/mail the user can't receive his mail. Thanks Frederic
On Fri, 2004-07-09 at 17:20, Fr?d?ric Sapin wrote:> If there are theses permissions the user can receive his mails but it's > dangerous I think. > And if I modify the dovecot.conf file : > mail_extra_groups = mail > and if the permissions are the initial permission, and if I enter chmod +t > /var/spool/mail the user can't receive his mail.What are the initial permissions? Does mail group have write rights? It should work then, and it did last time I tried. The +t isn't needed with mail_extra_groups=mail, but it gives some extra safety. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040709/1b6b88f9/attachment-0001.bin>
On Fri, 2004-07-09 at 17:20, Fr?d?ric Sapin wrote:> I'm using linux Fedora Core 2. > The permissions are : > drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/ > > These permissions are made buy the command chmod a+rwxt /var/spool/mail. > > So if someone wants to erase the /var/spool/mail directory, it's possible > unfortunately.And deleting other people's mail isn't actually possible then. That's why there's the +t sticky bit. It's the same as in /tmp directory. Users can only create files and delete their own files, but can't delete files created by others. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040709/660e0e76/attachment-0001.bin>
> On Fri, 2004-07-09 at 17:20, Fr?d?ric Sapin wrote: > > If there are theses permissions the user can receive his mails but it's > > dangerous I think. > > And if I modify the dovecot.conf file : > > mail_extra_groups = mail > > and if the permissions are the initial permission, and if I enter chmod > > +t /var/spool/mail the user can't receive his mail. > > What are the initial permissions? Does mail group have write rights? It > should work then, and it did last time I tried. The +t isn't needed with > mail_extra_groups=mail, but it gives some extra safety.Initial permissions are rwxrwxr-x root mail So mail group have right permission. I have not try with rwxrwxr-t permission. I will try and I will get back to you. Excuse me for this question but what represents the t exactly ? Thanks a lot Frederic
> On Fri, 2004-07-09 at 17:20, Fr?d?ric Sapin wrote: > > I'm using linux Fedora Core 2. > > The permissions are : > > drwxrwxrwt 2 root mail 32 2004-06-16 04:45 > > /var/spool/mail/ > > > > These permissions are made buy the command chmod a+rwxt /var/spool/mail. > > > > So if someone wants to erase the /var/spool/mail directory, it's possible > > unfortunately. > > And deleting other people's mail isn't actually possible then. That's > why there's the +t sticky bit. It's the same as in /tmp directory. Users > can only create files and delete their own files, but can't delete files > created by others.Ok it's working with permissions : rwxrwxr-T root mail /var/spool/mail So like that I think it's enough security. I don't understand the line : mail_extra_groups = mail If I remove mail is it working ? Thanks Frederic
On Fri, 9 Jul 2004, Fr?d?ric Sapin wrote:> I'm using linux Fedora Core 2. > The permissions are : > drwxrwxrwt 2 root mail 32 2004-06-16 04:45 /var/spool/mail/ > > These permissions are made buy the command chmod a+rwxt /var/spool/mail. > > So if someone wants to erase the /var/spool/mail directory, it's possible > unfortunately.No. User would need a writable /var/spool to delete the "mail" directory. See other comments about (lack of) ability to delete files within that directory. -- Charlie