Dâniel Fraga
2008-Mar-10 16:02 UTC
[Dovecot] 1.0.13: mail_extra_groups alternative syntax?
"Warning: mail_extra_groups setting was often used insecurely so it is now deprecated, use mail_access_groups or mail_privileged_group instead" I use the following: mail_extra_groups = mail nogroup Because I have the real and virtual accounts. What's the correct way to replace the above line? It seems that mail_privileged_group only accepts one group, but I need two. Any suggestion? Thank you! -- Linux 2.6.24: Arr Matey! A Hairy Bilge Rat! http://u-br.net http://www.abusar.org/FELIZ_2008.html
Timo Sirainen
2008-Mar-11 01:14 UTC
[Dovecot] 1.0.13: mail_extra_groups alternative syntax?
On Mon, 2008-03-10 at 13:02 -0300, D?niel Fraga wrote:> "Warning: mail_extra_groups setting was often used insecurely so it is > now deprecated, use mail_access_groups or mail_privileged_group instead" > > I use the following: > > mail_extra_groups = mail nogroup > > Because I have the real and virtual accounts. > > What's the correct way to replace the above line? It seems that > mail_privileged_group only accepts one group, but I need two. > > Any suggestion? Thank you!It depends on what you use the "mail" and "nogroup" for. The mail_privileged_group is used for creating dotlocks to directories where you normally don't have write access (/var/mail). mail_access_groups gives the process full access to the group, allowing the user to read/write to all files/dirs readable/writable by that group. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080311/7788ebc4/attachment-0002.bin>
Dâniel Fraga
2008-Mar-11 01:43 UTC
[Dovecot] 1.0.13: mail_extra_groups alternative syntax?
On Tue, 11 Mar 2008 03:14:13 +0200 Timo Sirainen <tss at iki.fi> wrote:> It depends on what you use the "mail" and "nogroup" for. The > mail_privileged_group is used for creating dotlocks to directories where > you normally don't have write access (/var/mail). mail_access_groups > gives the process full access to the group, allowing the user to > read/write to all files/dirs readable/writable by that group.Hi Timo, I use "mail" for /var/mail (you're correct): drwxrwxr-x 3 root mail 488 Mar 10 22:26 /var/mail/ and "nogroup" for /var/spool/virtual. So in thesis, the following should work, right? mail_privileged_group = mail mail_access_groups = nogroup At least it seems to work here. Thanks. --
Possibly Parallel Threads
- How to bypass checking of system users by virtual users?
- 1.07 to 1.0.13 mail_extra_groups
- Security issue #5: mail_extra_groups setting is often used insecurely
- Security issue #5: mail_extra_groups setting is often used insecurely
- mail_extra_groups and home directory permissions