On 26 Nov 2015, at 04:12, martin f krafft wrote:
>
> Hello,
>
> we're using vmm¹ to manage our postfix+dovecot virtual mail setup,
> which allows us to give every virtual user a separate EUID and every
> domain a separate EGID for additional security (vs. handling all
> virtual mail with a single "vmail" user).
>
> As a consequence, however, vmm must itself create the user
> directories with the appropriate owners, and to do so, it requires
> root rights.
>
> I am trying to investigate getting rid of this need³. Since Dovecot
> quite happily creates ~/Maildir when necessary, couldn't it also
> create parents? The home directory should be trivial (same
> EUID/EGID), but grandparents etc. might need a different policy
> (e.g. 0/EGID for the grandparent, 0/0 for great-grandparents, etc.).
Dovecot already creates all the parent directories. What to set to the
permissions are of course a problem.
http://wiki2.dovecot.org/SharedMailboxes/Permissions explains how it works
right now. See especially "Permissions to new /domain/user directories" and
"Permissions to new user home directories (v2.2+)".
> Is this something that could fall within the realm of Dovecot's
> lmtp? Or is the lmtp invoked as the user and doesn't actually drop
> root? If so, might there be another way?
That's the even bigger issue. The home dir creation is done with the user's
privileges, not as root. But the +t bit might help.
