If I create a new folder using a mail client (eg. kmail/OE), the maildirfolder file is created world-writable. I assume that this is a security risk and should be -rw-------. eg. - create folder "Foo" in mail client ~ $ ls -la .maildir/.Foo/ total 20 drwx------ 5 robert users 4096 2009-01-21 19:56 . drwx------ 43 robert users 4096 2009-01-21 19:56 .. drwx------ 2 robert users 4096 2009-01-21 19:56 cur -rw-rw-rw- 1 robert users 0 2009-01-21 19:56 maildirfolder drwx------ 2 robert users 4096 2009-01-21 19:56 new drwx------ 2 robert users 4096 2009-01-21 19:56 tmp Some info: # dovecot --version 1.1.7 # dovecot -n # 1.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.27-gentoo-r7 x86_64 Gentoo Base System release 1.12.11.1 ssl_cert_file: /etc/ssl/dovecot/server.pem ssl_key_file: /etc/ssl/dovecot/server.key disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/imap-login mail_location: maildir:~/.maildir mail_plugins: deleted_to_trash namespace: type: public separator: / prefix: Public/ location: maildir:/var/local/mail/public/ list: yes namespace: type: private separator: / inbox: yes list: yes subscriptions: yes auth default: passdb: driver: pam args: * userdb: driver: passwd I can't find this is the bugs area.
On Wed, 2009-01-21 at 20:06 +1100, Robert S wrote:> If I create a new folder using a mail client (eg. kmail/OE), the > maildirfolder file is created world-writable. I assume that this is a > security risk and should be -rw-------.Yes, it shouldn't be world-writable, fixed: http://hg.dovecot.org/dovecot-1.1/rev/22c279ca3bb4 Anyway there isn't really much danger with how it was previously, because: 1) The directory was created with 0700 permissions, so no-one could write to the file. 2) Even if someone was able to write to the file, the worst that could happen is that the owner's disk quota was reduced. The maildirfolder file is never read by Dovecot. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090125/5a805ef8/attachment-0002.bin>
Seemingly Similar Threads
- convert plugin created maildirfolder file in root maildir directory
- v1.0.13: maildirfolder not being created
- maildirfolder file created in maildir root during auto-creation with 2.3.4.1 but not 2.2.27
- IMAP creates .userid directory even after pop.
- Apple Mail and subfolders