On Thu, 2009-11-19 at 14:25 -0500, Frank Cusack wrote:> If /var/run/dovecot does not exist when dovecot starts up (e.g. required
> when /var/run is a tmpfs/ramfs), it creates it. But it creates it with
> the wrong file mode -- the directory is mode 777. Being world writable
> means any user could change the name of any file within the directory,
> including the login directory, and then create their own new login
> directory. Or remove the pid file, or perhaps cause other types of havoc.
Interesting. This bug had existed in probably all v1.2 versions, but I
noticed and fixed it about an hour before seeing your email. Sometimes
it seems like this happens a bit too often, an old bug gets noticed by
multiple people very close to each others. :)
Anyway, here's the fix:
http://hg.dovecot.org/dovecot-1.2/rev/3ebbccdc05e6
(v1.0 and v1.1 were actually also creating it with 0777, but they
immediately chmoded it back to 0755. That's why when I removed the chmod
code that was only for backwards compatibility it broke.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20091119/a950541f/attachment-0002.bin>