If I create a new folder using a mail client (eg. kmail/OE), the
maildirfolder file is created world-writable. I assume that this is a
security risk and should be -rw-------.
eg. - create folder "Foo" in mail client
~ $ ls -la .maildir/.Foo/
total 20
drwx------ 5 robert users 4096 2009-01-21 19:56 .
drwx------ 43 robert users 4096 2009-01-21 19:56 ..
drwx------ 2 robert users 4096 2009-01-21 19:56 cur
-rw-rw-rw- 1 robert users 0 2009-01-21 19:56 maildirfolder
drwx------ 2 robert users 4096 2009-01-21 19:56 new
drwx------ 2 robert users 4096 2009-01-21 19:56 tmp
Some info:
# dovecot --version
1.1.7
# dovecot -n
# 1.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.27-gentoo-r7 x86_64 Gentoo Base System release 1.12.11.1
ssl_cert_file: /etc/ssl/dovecot/server.pem
ssl_key_file: /etc/ssl/dovecot/server.key
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/imap-login
mail_location: maildir:~/.maildir
mail_plugins: deleted_to_trash
namespace:
type: public
separator: /
prefix: Public/
location: maildir:/var/local/mail/public/
list: yes
namespace:
type: private
separator: /
inbox: yes
list: yes
subscriptions: yes
auth default:
passdb:
driver: pam
args: *
userdb:
driver: passwd
I can't find this is the bugs area.
On Wed, 2009-01-21 at 20:06 +1100, Robert S wrote:> If I create a new folder using a mail client (eg. kmail/OE), the > maildirfolder file is created world-writable. I assume that this is a > security risk and should be -rw-------.Yes, it shouldn't be world-writable, fixed: http://hg.dovecot.org/dovecot-1.1/rev/22c279ca3bb4 Anyway there isn't really much danger with how it was previously, because: 1) The directory was created with 0700 permissions, so no-one could write to the file. 2) Even if someone was able to write to the file, the worst that could happen is that the owner's disk quota was reduced. The maildirfolder file is never read by Dovecot. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090125/5a805ef8/attachment-0002.bin>
Reasonably Related Threads
- convert plugin created maildirfolder file in root maildir directory
- v1.0.13: maildirfolder not being created
- maildirfolder file created in maildir root during auto-creation with 2.3.4.1 but not 2.2.27
- IMAP creates .userid directory even after pop.
- Apple Mail and subfolders