The main reason is that I don't want to provide backup user with unnecessary write permissions within maildirs and mail user within backup logs dir. I was talking about mail_user:mail_group 0750 on dirs and 0640 on files. (Or, possibly, mail_user:backup_group 2750 and 2640.) 26.12.2014, 11:19, "Tobi" <tobster at brain-force.ch>:> Whats the reason you do not want to use default dovecot user. Your idea would assume that at least the group must have write access. For me a no-go on mailboxes. > > Am 24. Dezember 2014 13:21:15 MEZ, schrieb Von Random <von at vdrandom.org>: >> Hello. >> >> In my configuration dovecot reads home from mysql and uses no variables >> within it. It uses Maildir++ storage with virtual users. I also happen >> to use LMTP. >> >> I want to use a backup solution that does not involve running itself as >> root. Neither do I want to run it as dovecot's mail user. >> >> And there lies the problem: dovecot creates maildirs with 0700 and >> files within them inherit that set of permissions. And there seems to >> be no sane way to control it. I think I've figured out what to patch in >> order to change that default, but if possible, I'd like to avoid doing >> that. >> >> tl;dr: is it possible to change the default set of permissions for new >> maildirs created by dovecot? > > - -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. >> -----BEGIN PGP SIGNATURE----- >> Version: APG v1.1.1 >> >> iQI7BAEBCgAlBQJUnRoiHhxUb2JpIDx0b2JzdGVyQGJyYWluLWZvcmNlLmNoPgAK >> CRA1HOYlqGik5L9iD/9FIE2JzWfB7fWJEbI3vVg+ar4LRGwW1xNIf8ahlytPbsmH >> D9dFP3kWpJH6TO41AksNjz/FxHcUqSrlsKYTFUsDZCyb9Zyxd8Jv+dH04FwUzw+y >> kq+ayoylnTN7Q8mQnqkUpWEuYd5ohWbbUUSguwzN8Zd1T4jCFR9/Lvu0cweE6meu >> mBGwvXBbfBP4El+mAM2lKnoMXQpMycS6aX7FwQ/fBaoWSkzg/2az69UtqG6LLF67 >> ZhJkbn17cpT3y/l/2nV5urdcFVh8RoSXNuYyMN4r7IDKQ6BPsneD+839LS9X/gP/ >> QMuo5nO5xdx4q1bT9gtv1zz5eKAJ1f3R2oPZyxdpiV5PruSY3J3kvu0cF0aJvQF6 >> +s0iDsoDBcueB6JEUnYAarteWvBvxRnqb8ytju1xbIEkKLZtaS8Gf2cpZ8eA+Ha/ >> D0zkYfq7bt+Ra7BY6Qh7XMfiN5z9eWe5RqOmVLZRLf9N75U6wWa+fmXpvlqEtGNV >> pKsgif/ivCHiA24+JSJ1PBRjwO36Tu4MsSlT2WnkvyFBQzFzg9T00fl+uTXzgNEz >> SBta2wmXk9XVJ9mPzfNrAaAA3+T6H90Sj1CbRt7NZx30UdwYoIL5XXEtnG0p1XdS >> moe91H2UE+NT+jgj7emAOLxJf86vIwiHCqI0Zl/7wVNJEnKBXJP5WIHcdEDEHg=>> =Tl/z >> -----END PGP SIGNATURE-----
Err, my bad, of course 0640 on files in case of setgid on directories. 26.12.2014, 11:36, "Von Random" <von at vdrandom.org>:> The main reason is that I don't want to provide backup user with unnecessary write permissions within maildirs and mail user within backup logs dir. I was talking about mail_user:mail_group 0750 on dirs and 0640 on files. (Or, possibly, mail_user:backup_group 2750 and 2640.) > > 26.12.2014, 11:19, "Tobi" <tobster at brain-force.ch>: >> ?Whats the reason you do not want to use default dovecot user. Your idea would assume that at least the group must have write access. For me a no-go on mailboxes. >> >> ?Am 24. Dezember 2014 13:21:15 MEZ, schrieb Von Random <von at vdrandom.org>: >>> ?Hello. >>> >>> ?In my configuration dovecot reads home from mysql and uses no variables >>> ?within it. It uses Maildir++ storage with virtual users. I also happen >>> ?to use LMTP. >>> >>> ?I want to use a backup solution that does not involve running itself as >>> ?root. Neither do I want to run it as dovecot's mail user. >>> >>> ?And there lies the problem: dovecot creates maildirs with 0700 and >>> ?files within them inherit that set of permissions. And there seems to >>> ?be no sane way to control it. I think I've figured out what to patch in >>> ?order to change that default, but if possible, I'd like to avoid doing >>> ?that. >>> >>> ?tl;dr: is it possible to change the default set of permissions for new >>> ?maildirs created by dovecot? >> ?- -- >> ?Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. >>> ?-----BEGIN PGP SIGNATURE----- >>> ?Version: APG v1.1.1 >>> >>> ?iQI7BAEBCgAlBQJUnRoiHhxUb2JpIDx0b2JzdGVyQGJyYWluLWZvcmNlLmNoPgAK >>> ?CRA1HOYlqGik5L9iD/9FIE2JzWfB7fWJEbI3vVg+ar4LRGwW1xNIf8ahlytPbsmH >>> ?D9dFP3kWpJH6TO41AksNjz/FxHcUqSrlsKYTFUsDZCyb9Zyxd8Jv+dH04FwUzw+y >>> ?kq+ayoylnTN7Q8mQnqkUpWEuYd5ohWbbUUSguwzN8Zd1T4jCFR9/Lvu0cweE6meu >>> ?mBGwvXBbfBP4El+mAM2lKnoMXQpMycS6aX7FwQ/fBaoWSkzg/2az69UtqG6LLF67 >>> ?ZhJkbn17cpT3y/l/2nV5urdcFVh8RoSXNuYyMN4r7IDKQ6BPsneD+839LS9X/gP/ >>> ?QMuo5nO5xdx4q1bT9gtv1zz5eKAJ1f3R2oPZyxdpiV5PruSY3J3kvu0cF0aJvQF6 >>> ?+s0iDsoDBcueB6JEUnYAarteWvBvxRnqb8ytju1xbIEkKLZtaS8Gf2cpZ8eA+Ha/ >>> ?D0zkYfq7bt+Ra7BY6Qh7XMfiN5z9eWe5RqOmVLZRLf9N75U6wWa+fmXpvlqEtGNV >>> ?pKsgif/ivCHiA24+JSJ1PBRjwO36Tu4MsSlT2WnkvyFBQzFzg9T00fl+uTXzgNEz >>> ?SBta2wmXk9XVJ9mPzfNrAaAA3+T6H90Sj1CbRt7NZx30UdwYoIL5XXEtnG0p1XdS >>> ?moe91H2UE+NT+jgj7emAOLxJf86vIwiHCqI0Zl/7wVNJEnKBXJP5WIHcdEDEHg=>>> ?=Tl/z >>> ?-----END PGP SIGNATURE-----
Yes, and it is not my use case, sadly. ACLs are meant for imap, not filesystem access and mail_access_groups is also useless for some reason. It just does not change anything. Probably because I don't use mail_location and variables when I provide path for home. (It's stored as is in a database on mailbox creation.) 26.12.2014, 12:07, "Tobi" <tobster at brain-force.ch>:> Have you checked the dovecot wiki for 'filepermissions in shared mailboxes' ? > Explains how dovecot set ACL when creating mailboxes > > Am 26. Dezember 2014 09:37:37 MEZ, schrieb Von Random <von at vdrandom.org>: >> Err, my bad, of course 0640 on files in case of setgid on directories. >> >> 26.12.2014, 11:36, "Von Random" <von at vdrandom.org>: >>> ?The main reason is that I don't want to provide backup user with >> unnecessary write permissions within maildirs and mail user within >> backup logs dir. I was talking about mail_user:mail_group 0750 on dirs >> and 0640 on files. (Or, possibly, mail_user:backup_group 2750 and >> 2640.) >>> ?26.12.2014, 11:19, "Tobi" <tobster at brain-force.ch>: >>>> ??Whats the reason you do not want to use default dovecot user. Your >> idea would assume that at least the group must have write access. For >> me a no-go on mailboxes. >>>> ??Am 24. Dezember 2014 13:21:15 MEZ, schrieb Von Random >> <von at vdrandom.org>: >>>>> ??Hello. >>>>> >>>>> ??In my configuration dovecot reads home from mysql and uses no >> variables >>>>> ??within it. It uses Maildir++ storage with virtual users. I also >> happen >>>>> ??to use LMTP. >>>>> >>>>> ??I want to use a backup solution that does not involve running >> itself as >>>>> ??root. Neither do I want to run it as dovecot's mail user. >>>>> >>>>> ??And there lies the problem: dovecot creates maildirs with 0700 and >>>>> ??files within them inherit that set of permissions. And there seems >> to >>>>> ??be no sane way to control it. I think I've figured out what to >> patch in >>>>> ??order to change that default, but if possible, I'd like to avoid >> doing >>>>> ??that. >>>>> >>>>> ??tl;dr: is it possible to change the default set of permissions for >> new >>>>> ??maildirs created by dovecot? >>>> ??- -- >>>> ??Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail >> gesendet. >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> ??Version: APG v1.1.1 >>>>>> >>>>>> ??iQI7BAEBCgAlBQJUnRoiHhxUb2JpIDx0b2JzdGVyQGJyYWluLWZvcmNlLmNoPgAK >>>>>> ??CRA1HOYlqGik5L9iD/9FIE2JzWfB7fWJEbI3vVg+ar4LRGwW1xNIf8ahlytPbsmH >>>>>> ??D9dFP3kWpJH6TO41AksNjz/FxHcUqSrlsKYTFUsDZCyb9Zyxd8Jv+dH04FwUzw+y >>>>>> ??kq+ayoylnTN7Q8mQnqkUpWEuYd5ohWbbUUSguwzN8Zd1T4jCFR9/Lvu0cweE6meu >>>>>> ??mBGwvXBbfBP4El+mAM2lKnoMXQpMycS6aX7FwQ/fBaoWSkzg/2az69UtqG6LLF67 >>>>>> ??ZhJkbn17cpT3y/l/2nV5urdcFVh8RoSXNuYyMN4r7IDKQ6BPsneD+839LS9X/gP/ >>>>>> ??QMuo5nO5xdx4q1bT9gtv1zz5eKAJ1f3R2oPZyxdpiV5PruSY3J3kvu0cF0aJvQF6 >>>>>> ??+s0iDsoDBcueB6JEUnYAarteWvBvxRnqb8ytju1xbIEkKLZtaS8Gf2cpZ8eA+Ha/ >>>>>> ??D0zkYfq7bt+Ra7BY6Qh7XMfiN5z9eWe5RqOmVLZRLf9N75U6wWa+fmXpvlqEtGNV >>>>>> ??pKsgif/ivCHiA24+JSJ1PBRjwO36Tu4MsSlT2WnkvyFBQzFzg9T00fl+uTXzgNEz >>>>>> ??SBta2wmXk9XVJ9mPzfNrAaAA3+T6H90Sj1CbRt7NZx30UdwYoIL5XXEtnG0p1XdS >>>>>> ??moe91H2UE+NT+jgj7emAOLxJf86vIwiHCqI0Zl/7wVNJEnKBXJP5WIHcdEDEHg=>>>>>> ??=Tl/z >>>>>> ??-----END PGP SIGNATURE----- > > - -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. > -----BEGIN PGP SIGNATURE----- > Version: APG v1.1.1 > > iQI7BAEBCgAlBQJUnSVbHhxUb2JpIDx0b2JzdGVyQGJyYWluLWZvcmNlLmNoPgAK > CRA1HOYlqGik5GvTEACYhFfqS5hK4rAoHCzDd5vFwCLIE/ESheJhREbpewE4k7Nq > BGR1hKygYeAnj3w1CB9R4sgRBOTHSpRuIzk1ZMId5UuQOBxy8ukRzA5xiAoP22lw > AxB6Ek7e7VLz0998GmoN7uw1t5tczR1SkHscs0XfuBCBJrvo79DHYs7CP18oDTic > m5NVJS0MZzJGWPSDGwN6WPwRbLZMTZHc79h+WTmYz9Fzet2As71npvP0PiLd4hQP > xMlgUXCF1vXTUPUGf/NtQfy/xjaww4sEMqOxpigjLLMmnz+OFPo9Mar0uWvNBCgq > 3rTUqAUaMcLS8ANyvqzPXXba67dl+rNYuK33tWom+H17JzNf1rdYKxtc7IVQgm/E > RfYhIejH9yQR0/8CHw+ySF3mJdiQsZHMKL4PwXhRzp9OuOU8RZts1bve8pJEHGSr > ZQjqjiNB/DyE0s9uNh94U58mwGT8FKHQPR52EPF2WyNlyet1aYUCNQlXm2Qe+3FI > k4D4eJpRfWIHS5x7NALuwrki+/OqFvDphzKCTmhIC2Qa8UnKvxaS9VccW2Z5D9R9 > PHoOb2pgm5bIOUtsWUCykDiTwh5IA0jReoGPRlXmFK/tuhHawdrbfUlQ/YrVAX8w > p+FhchB5e5LNnBOjIXDB9c+viuobF3qo3uoOqjAwGTkEqIdwsiswCUPfjZJD+A=> =XfBH > -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 26 Dec 2014, Von Random wrote:> Yes, and it is not my use case, sadly. ACLs are meant for imap, not > filesystem access and mail_access_groups is also useless for some > reason. It just does not change anything. Probably because I don't use > mail_location and variables when I provide path for home. (It's stored > as is in a database on mailbox creation.)I think Tobi means this page: http://wiki2.dovecot.org/SharedMailboxes/Permissions There you see from which directory filesystem permissions are copied from on creation.> 26.12.2014, 12:07, "Tobi" <tobster at brain-force.ch>: >> Have you checked the dovecot wiki for 'filepermissions in shared mailboxes' ? >> Explains how dovecot set ACL when creating mailboxes >> >> Am 26. Dezember 2014 09:37:37 MEZ, schrieb Von Random <von at vdrandom.org>: >>> Err, my bad, of course 0640 on files in case of setgid on directories. >>> >>> 26.12.2014, 11:36, "Von Random" <von at vdrandom.org>: >>>> ?The main reason is that I don't want to provide backup user with >>> unnecessary write permissions within maildirs and mail user within >>> backup logs dir. I was talking about mail_user:mail_group 0750 on dirs >>> and 0640 on files. (Or, possibly, mail_user:backup_group 2750 and >>> 2640.) >>>> ?26.12.2014, 11:19, "Tobi" <tobster at brain-force.ch>: >>>>> ??Whats the reason you do not want to use default dovecot user. Your >>> idea would assume that at least the group must have write access. For >>> me a no-go on mailboxes. >>>>> ??Am 24. Dezember 2014 13:21:15 MEZ, schrieb Von Random >>> <von at vdrandom.org>: >>>>>> ??Hello. >>>>>> >>>>>> ??In my configuration dovecot reads home from mysql and uses no >>> variables >>>>>> ??within it. It uses Maildir++ storage with virtual users. I also >>> happen >>>>>> ??to use LMTP. >>>>>> >>>>>> ??I want to use a backup solution that does not involve running >>> itself as >>>>>> ??root. Neither do I want to run it as dovecot's mail user. >>>>>> >>>>>> ??And there lies the problem: dovecot creates maildirs with 0700 and >>>>>> ??files within them inherit that set of permissions. And there seems >>> to >>>>>> ??be no sane way to control it. I think I've figured out what to >>> patch in >>>>>> ??order to change that default, but if possible, I'd like to avoid >>> doing >>>>>> ??that. >>>>>> >>>>>> ??tl;dr: is it possible to change the default set of permissions for >>> new >>>>>> ??maildirs created by dovecot? >>>>> ??- -- >>>>> ??Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail >>> gesendet. >>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>> ??Version: APG v1.1.1 >>>>>>> >>>>>>> ??iQI7BAEBCgAlBQJUnRoiHhxUb2JpIDx0b2JzdGVyQGJyYWluLWZvcmNlLmNoPgAK >>>>>>> ??CRA1HOYlqGik5L9iD/9FIE2JzWfB7fWJEbI3vVg+ar4LRGwW1xNIf8ahlytPbsmH >>>>>>> ??D9dFP3kWpJH6TO41AksNjz/FxHcUqSrlsKYTFUsDZCyb9Zyxd8Jv+dH04FwUzw+y >>>>>>> ??kq+ayoylnTN7Q8mQnqkUpWEuYd5ohWbbUUSguwzN8Zd1T4jCFR9/Lvu0cweE6meu >>>>>>> ??mBGwvXBbfBP4El+mAM2lKnoMXQpMycS6aX7FwQ/fBaoWSkzg/2az69UtqG6LLF67 >>>>>>> ??ZhJkbn17cpT3y/l/2nV5urdcFVh8RoSXNuYyMN4r7IDKQ6BPsneD+839LS9X/gP/ >>>>>>> ??QMuo5nO5xdx4q1bT9gtv1zz5eKAJ1f3R2oPZyxdpiV5PruSY3J3kvu0cF0aJvQF6 >>>>>>> ??+s0iDsoDBcueB6JEUnYAarteWvBvxRnqb8ytju1xbIEkKLZtaS8Gf2cpZ8eA+Ha/ >>>>>>> ??D0zkYfq7bt+Ra7BY6Qh7XMfiN5z9eWe5RqOmVLZRLf9N75U6wWa+fmXpvlqEtGNV >>>>>>> ??pKsgif/ivCHiA24+JSJ1PBRjwO36Tu4MsSlT2WnkvyFBQzFzg9T00fl+uTXzgNEz >>>>>>> ??SBta2wmXk9XVJ9mPzfNrAaAA3+T6H90Sj1CbRt7NZx30UdwYoIL5XXEtnG0p1XdS >>>>>>> ??moe91H2UE+NT+jgj7emAOLxJf86vIwiHCqI0Zl/7wVNJEnKBXJP5WIHcdEDEHg=>>>>>>> ??=Tl/z >>>>>>> ??-----END PGP SIGNATURE----- >> >> - -- >> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. >> -----BEGIN PGP SIGNATURE----- >> Version: APG v1.1.1 >> >> iQI7BAEBCgAlBQJUnSVbHhxUb2JpIDx0b2JzdGVyQGJyYWluLWZvcmNlLmNoPgAK >> CRA1HOYlqGik5GvTEACYhFfqS5hK4rAoHCzDd5vFwCLIE/ESheJhREbpewE4k7Nq >> BGR1hKygYeAnj3w1CB9R4sgRBOTHSpRuIzk1ZMId5UuQOBxy8ukRzA5xiAoP22lw >> AxB6Ek7e7VLz0998GmoN7uw1t5tczR1SkHscs0XfuBCBJrvo79DHYs7CP18oDTic >> m5NVJS0MZzJGWPSDGwN6WPwRbLZMTZHc79h+WTmYz9Fzet2As71npvP0PiLd4hQP >> xMlgUXCF1vXTUPUGf/NtQfy/xjaww4sEMqOxpigjLLMmnz+OFPo9Mar0uWvNBCgq >> 3rTUqAUaMcLS8ANyvqzPXXba67dl+rNYuK33tWom+H17JzNf1rdYKxtc7IVQgm/E >> RfYhIejH9yQR0/8CHw+ySF3mJdiQsZHMKL4PwXhRzp9OuOU8RZts1bve8pJEHGSr >> ZQjqjiNB/DyE0s9uNh94U58mwGT8FKHQPR52EPF2WyNlyet1aYUCNQlXm2Qe+3FI >> k4D4eJpRfWIHS5x7NALuwrki+/OqFvDphzKCTmhIC2Qa8UnKvxaS9VccW2Z5D9R9 >> PHoOb2pgm5bIOUtsWUCykDiTwh5IA0jReoGPRlXmFK/tuhHawdrbfUlQ/YrVAX8w >> p+FhchB5e5LNnBOjIXDB9c+viuobF3qo3uoOqjAwGTkEqIdwsiswCUPfjZJD+A=>> =XfBH >> -----END PGP SIGNATURE----- >- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVLToRnz1H7kL/d9rAQKEaQf/WyLdX/Kd8/RE3YptqbZ7EL+kA9Fg1m1b Mi+LL6fw/Fya+OW2woRa9zQEi3/IGMGZGwbFN5ZvEp+EdIfHZMcy4Gi9a/I1+KDD Q8ePq4lZ4oKvjMrWNk2Jvn+JUszdtzDs0ONzh9JG9zOXPOa9n3CDZ9jdSw6bHNyT KuvB6YIOxz2a8QJ6IQtzWrO36fu13rt0n0NTfgsuaNpX0nYJdcsJ1QC5WBHAEHKe rty5WQH/xcaDkUrOWOL+wAM4jFT5Uou9y9yxLsi3GUCMd03Efp+t3dFZgScES8Ib WrpIDJmw6wUpfVFRfJnpUdfLt9rCxdwBZphPiH1CKHYrRwwGQE9Ujw==o00L -----END PGP SIGNATURE-----