Hi,
It seems to me that many versions of Debian (where /var/mail is
root:mail 2775) are vulnerable.
Timo Sirainen wrote :
a) Upgrade to v1.0.11 and use the new mail_privileged_group setting
instead of mail_extra_groups.
We tried this but now the mail.log has a number of lines :
« dovecot: IMAP(someuser): open(/var/mail/.temp.XXXX) failed: Permission
denied »
This with mail_location: mbox:~/Mail:INBOX=/var/mail/%u and no specific
settings for mbox_*_locks.
mail_privileged_group setting works by keeping the group in process's
saved GID while it's not in use and temporarily switching it to
effective GID while dotlocks are created. Currently this is done only
when:
1. It's only done for INBOX mbox which doesn't exist under the same
location as other mailboxes (so typically under /var/mail).
2. It's used only after initial dotlock creation try failed with EACCES
error.
This might be the explanation, but is there any way to avoid the logs to
get flooded ?
Cheers,
Jeremie
