dovecot - Oct 2006 - mail_extra_groups and home directory permissions

Hi all,

I've got a virtual hosting environment, where each user lives in 
/home/domain/homes/user, and the mailbox is Maildir within that 
directory.  I've been running into a permissions problem, because it 
seems Dovecot doesn't get the users group membership (which seems odd, 
but I'm not confident enough of my comprehension of Dovecot to call say 
it looks like a bug).

In short, when Dovecot hits the /home/domain directory which is owned by 
domain:domain and set to 750 permissions, it gets a permission denied, 
despite the user having the needed group membership to traverse these 
directories.

So, in an effort to work around this problem, I came upon the 
mail_extra_groups option, which seems to allow me to drop dovecot into 
additional groups.  If I add the domain group to this list, dovecot is 
able to traverse to the correct directory and all works exactly as I 
want it to with the domain directories being set to 750 permissions. 
Hooray!

My only question, since this is not the documented purpose of this 
option, is:

Is it safe to do this?  Am I opening up some other kind of security 
problem by setting this option to include all domain groups?

Thanks for any thoughts anyone might have on this...

On Wednesday October 25, 2006 at 05:05:00 (PM) Joe Cooper wrote:
> I've got a virtual hosting environment, where each user lives in 
> /home/domain/homes/user, and the mailbox is Maildir within that 
> directory.  I've been running into a permissions problem, because it 
> seems Dovecot doesn't get the users group membership (which seems odd, 
> but I'm not confident enough of my comprehension of Dovecot to call say
> it looks like a bug).
> 
> In short, when Dovecot hits the /home/domain directory which is owned by 
> domain:domain and set to 750 permissions, it gets a permission denied, 
> despite the user having the needed group membership to traverse these 
> directories.
> 
> So, in an effort to work around this problem, I came upon the 
> mail_extra_groups option, which seems to allow me to drop dovecot into 
> additional groups.  If I add the domain group to this list, dovecot is 
> able to traverse to the correct directory and all works exactly as I 
> want it to with the domain directories being set to 750 permissions. 
> Hooray!
> 
> My only question, since this is not the documented purpose of this 
> option, is:
> 
> Is it safe to do this?  Am I opening up some other kind of security 
> problem by setting this option to include all domain groups?
> 
> Thanks for any thoughts anyone might have on this...
I was having a problem similar to yours. I ended up giving the
/var/mail/vhosts/domain/{$user} directory '1777' permissions to get
dovecot to operate on it. I will give your idea a try though.

-- 
Gerard

Joe Cooper wrote:
> Hi all,
> 
> I've got a virtual hosting environment, where each user lives in 
> /home/domain/homes/user, and the mailbox is Maildir within that 
> directory.  I've been running into a permissions problem, because it 
> seems Dovecot doesn't get the users group membership (which seems odd, 
> but I'm not confident enough of my comprehension of Dovecot to call say
> it looks like a bug).
> 
> In short, when Dovecot hits the /home/domain directory which is owned by 
> domain:domain and set to 750 permissions, it gets a permission denied, 
> despite the user having the needed group membership to traverse these 
> directories.
> 
> So, in an effort to work around this problem, I came upon the 
> mail_extra_groups option, which seems to allow me to drop dovecot into 
> additional groups.  If I add the domain group to this list, dovecot is 
> able to traverse to the correct directory and all works exactly as I 
> want it to with the domain directories being set to 750 permissions. 
> Hooray!
> 
> My only question, since this is not the documented purpose of this 
> option, is:
> 
> Is it safe to do this?  Am I opening up some other kind of security 
> problem by setting this option to include all domain groups?
> 
> Thanks for any thoughts anyone might have on this...
I spoke too soon.  There were imap processes that stuck around through 
my dovecot restart--they had already chdir'ed I guess, and kept working. 
  When I killed those and restarted the process, everything stopped 
working and the permission denied errors came back.

Back to square one.  Anybody have a clue to lend me?