Hello all,
I'm setting up an IMAP server with dovecot. I've set up system users
with PAM authentication and Maildir maiboxes.
I'd like to share mailboxes among them, but regardless of what I try, I
bump into filesystem permissions.
I want to have Maildirs created for new users with the right
permissions. I even changed "UMASK" in file /etc/login.defs from 022
to
002, but the Maildirs are still created with 700 permissions:
ls -l /home/ximplet2/
total 4
drwx------ 9 ximplet2 users 4096 Apr 12 19:10 Maildir
Really there's no better way than running "chmod -R g=u
/home/ximplet2/Maildir" and "chmod g+s /home/ximplet2/Maildir"
for every
user? Really??
I read that, before v.2, Dovecot had a "umask" option to do precisely
want I need, but it was removed.
How are we supposed to use ACL with system users nowadays?
Rubeno
P.S: my doveconf -n:
# 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
mail_access_groups = kundividantoj
mail_location = maildir:~/Maildir:LAYOUT=fs
mail_plugins = acl
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapsieve vnd.dovecot.imapsieve
namespace {
? list = yes
? location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/Komunujo/%%n
? prefix = Komunujo/%%n/
? subscriptions = no
? type = shared
}
namespace inbox {
? inbox = yes
? location ? mailbox Malnetujo {
??? auto = subscribe
??? comment = Mesa?oj ne finitaj nek senditaj
??? special_use = \Drafts
? }
? mailbox Rubujo {
??? auto = subscribe
??? autoexpunge = 120 days
??? comment = ?i tien iras la forvi?itaj mesa?oj
??? special_use = \Trash
? }
? mailbox Senditujo {
??? auto = subscribe
??? special_use = \Sent
? }
? mailbox Spamujo {
??? auto = create
??? autoexpunge = 30 days
??? comment = Mesa?oj markitaj kiel ne deziritaj
??? special_use = \Junk
? }
? prefix ? subscriptions = yes
? type = private
}
passdb {
? driver = pam
}
plugin {
? acl = vfile
? acl_shared_dict = file:/var/lib/dovecot/kundividitaj/shared-mailboxes
? imapsieve_mailbox1_before =
file:/etc/dovecot/sieve/imapsieve/report-spam.sieve
? imapsieve_mailbox1_causes = COPY FLAG
? imapsieve_mailbox1_name = Spamujo
? imapsieve_mailbox2_before =
file:/etc/dovecot/sieve/imapsieve/report-ham.sieve
? imapsieve_mailbox2_causes = COPY
? imapsieve_mailbox2_from = Spamujo
? imapsieve_mailbox2_name = *
? sieve = file:~/sieve;active=~/.dovecot.sieve
? sieve_after = /etc/dovecot/sieve/final
? sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
? sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
? sieve_pipe_bin_dir = /usr/bin
? sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = " imap lmtp sieve"
service auth {
? unix_listener /var/spool/postfix/private/auth {
??? group = postfix
??? mode = 0660
??? user = postfix
? }
? unix_listener auth-userdb {
??? group ??? mode = 0777
??? user ? }
}
ssl = required
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key =? # hidden, use -P to show it
userdb {
? driver = passwd
}
protocol lda {
? mail_plugins = acl sieve
}
protocol imap {
?mail_plugins = acl imap_acl imap_sieve
}
Dovecot will copy the mail root permissions when creating directories & folders. Aki On 12.04.2018 22:45, Rub?n Fern?ndez Asensio wrote:> > Hello all, > > I'm setting up an IMAP server with dovecot. I've set up system users > with PAM authentication and Maildir maiboxes. > > I'd like to share mailboxes among them, but regardless of what I try, > I bump into filesystem permissions. > > I want to have Maildirs created for new users with the right > permissions. I even changed "UMASK" in file /etc/login.defs from 022 > to 002, but the Maildirs are still created with 700 permissions: > > ls -l /home/ximplet2/ > total 4 > drwx------ 9 ximplet2 users 4096 Apr 12 19:10 Maildir > > Really there's no better way than running "chmod -R g=u > /home/ximplet2/Maildir" and "chmod g+s /home/ximplet2/Maildir" for > every user? Really?? > > I read that, before v.2, Dovecot had a "umask" option to do precisely > want I need, but it was removed. > > How are we supposed to use ACL with system users nowadays? > > Rubeno > > P.S: my doveconf -n: > > # 2.2.31 (65cde28): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.19 (e5c7051) > # OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > mail_access_groups = kundividantoj > mail_location = maildir:~/Maildir:LAYOUT=fs > mail_plugins = acl > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext imapsieve vnd.dovecot.imapsieve > namespace { > ? list = yes > ? location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/Komunujo/%%n > ? prefix = Komunujo/%%n/ > ? subscriptions = no > ? type = shared > } > namespace inbox { > ? inbox = yes > ? location > ? mailbox Malnetujo { > ??? auto = subscribe > ??? comment = Mesa?oj ne finitaj nek senditaj > ??? special_use = \Drafts > ? } > ? mailbox Rubujo { > ??? auto = subscribe > ??? autoexpunge = 120 days > ??? comment = ?i tien iras la forvi?itaj mesa?oj > ??? special_use = \Trash > ? } > ? mailbox Senditujo { > ??? auto = subscribe > ??? special_use = \Sent > ? } > ? mailbox Spamujo { > ??? auto = create > ??? autoexpunge = 30 days > ??? comment = Mesa?oj markitaj kiel ne deziritaj > ??? special_use = \Junk > ? } > ? prefix > ? subscriptions = yes > ? type = private > } > passdb { > ? driver = pam > } > plugin { > ? acl = vfile > ? acl_shared_dict = file:/var/lib/dovecot/kundividitaj/shared-mailboxes > ? imapsieve_mailbox1_before > file:/etc/dovecot/sieve/imapsieve/report-spam.sieve > ? imapsieve_mailbox1_causes = COPY FLAG > ? imapsieve_mailbox1_name = Spamujo > ? imapsieve_mailbox2_before > file:/etc/dovecot/sieve/imapsieve/report-ham.sieve > ? imapsieve_mailbox2_causes = COPY > ? imapsieve_mailbox2_from = Spamujo > ? imapsieve_mailbox2_name = * > ? sieve = file:~/sieve;active=~/.dovecot.sieve > ? sieve_after = /etc/dovecot/sieve/final > ? sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug > ? sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug > ? sieve_pipe_bin_dir = /usr/bin > ? sieve_plugins = sieve_imapsieve sieve_extprograms > } > protocols = " imap lmtp sieve" > service auth { > ? unix_listener /var/spool/postfix/private/auth { > ??? group = postfix > ??? mode = 0660 > ??? user = postfix > ? } > ? unix_listener auth-userdb { > ??? group > ??? mode = 0777 > ??? user > ? } > } > ssl = required > ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem > ssl_key =? # hidden, use -P to show it > userdb { > ? driver = passwd > } > protocol lda { > ? mail_plugins = acl sieve > } > protocol imap { > ?mail_plugins = acl imap_acl imap_sieve > > } >
OK, I found it. I changed the "DIR_MODE" directive in file /etc/adduser.conf from 0755 to 02770 and "USERGROUPS" directive from "yes" to "no". Now all new users belong to the same group and their home directories have 2770 permissions, which Maildir inherits. Since their shell is /usr/sbin/nologin this probably isn't a big security hole. I can even unset "mail_access_groups". I know this wasn't Dovecot-specific, but sometimes we Linux novices thank a helping hand... El 13/04/18 a les 08:31, Aki Tuomi ha escrit:> Dovecot will copy the mail root permissions when creating directories & > folders. > > Aki > > > On 12.04.2018 22:45, Rub?n Fern?ndez Asensio wrote: >> >> Hello all, >> >> I'm setting up an IMAP server with dovecot. I've set up system users >> with PAM authentication and Maildir maiboxes. >> >> I'd like to share mailboxes among them, but regardless of what I try, >> I bump into filesystem permissions. >> >> I want to have Maildirs created for new users with the right >> permissions. I even changed "UMASK" in file /etc/login.defs from 022 >> to 002, but the Maildirs are still created with 700 permissions: >> >> ls -l /home/ximplet2/ >> total 4 >> drwx------ 9 ximplet2 users 4096 Apr 12 19:10 Maildir >> >> Really there's no better way than running "chmod -R g=u >> /home/ximplet2/Maildir" and "chmod g+s /home/ximplet2/Maildir" for >> every user? Really?? >> >> I read that, before v.2, Dovecot had a "umask" option to do precisely >> want I need, but it was removed. >> >> How are we supposed to use ACL with system users nowadays? >> >> Rubeno >> >> P.S: my doveconf -n: >> >> # 2.2.31 (65cde28): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.19 (e5c7051) >> # OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> mail_access_groups = kundividantoj >> mail_location = maildir:~/Maildir:LAYOUT=fs >> mail_plugins = acl >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date index ihave duplicate mime foreverypart >> extracttext imapsieve vnd.dovecot.imapsieve >> namespace { >> ? list = yes >> ? location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/Komunujo/%%n >> ? prefix = Komunujo/%%n/ >> ? subscriptions = no >> ? type = shared >> } >> namespace inbox { >> ? inbox = yes >> ? location >> ? mailbox Malnetujo { >> ??? auto = subscribe >> ??? comment = Mesa?oj ne finitaj nek senditaj >> ??? special_use = \Drafts >> ? } >> ? mailbox Rubujo { >> ??? auto = subscribe >> ??? autoexpunge = 120 days >> ??? comment = ?i tien iras la forvi?itaj mesa?oj >> ??? special_use = \Trash >> ? } >> ? mailbox Senditujo { >> ??? auto = subscribe >> ??? special_use = \Sent >> ? } >> ? mailbox Spamujo { >> ??? auto = create >> ??? autoexpunge = 30 days >> ??? comment = Mesa?oj markitaj kiel ne deziritaj >> ??? special_use = \Junk >> ? } >> ? prefix >> ? subscriptions = yes >> ? type = private >> } >> passdb { >> ? driver = pam >> } >> plugin { >> ? acl = vfile >> ? acl_shared_dict = file:/var/lib/dovecot/kundividitaj/shared-mailboxes >> ? imapsieve_mailbox1_before >> file:/etc/dovecot/sieve/imapsieve/report-spam.sieve >> ? imapsieve_mailbox1_causes = COPY FLAG >> ? imapsieve_mailbox1_name = Spamujo >> ? imapsieve_mailbox2_before >> file:/etc/dovecot/sieve/imapsieve/report-ham.sieve >> ? imapsieve_mailbox2_causes = COPY >> ? imapsieve_mailbox2_from = Spamujo >> ? imapsieve_mailbox2_name = * >> ? sieve = file:~/sieve;active=~/.dovecot.sieve >> ? sieve_after = /etc/dovecot/sieve/final >> ? sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug >> ? sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug >> ? sieve_pipe_bin_dir = /usr/bin >> ? sieve_plugins = sieve_imapsieve sieve_extprograms >> } >> protocols = " imap lmtp sieve" >> service auth { >> ? unix_listener /var/spool/postfix/private/auth { >> ??? group = postfix >> ??? mode = 0660 >> ??? user = postfix >> ? } >> ? unix_listener auth-userdb { >> ??? group >> ??? mode = 0777 >> ??? user >> ? } >> } >> ssl = required >> ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem >> ssl_key =? # hidden, use -P to show it >> userdb { >> ? driver = passwd >> } >> protocol lda { >> ? mail_plugins = acl sieve >> } >> protocol imap { >> ?mail_plugins = acl imap_acl imap_sieve >> >> } >> >