Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2017-01-26 Thread Apollon Oikonomopoulos
Control: tags -1 wontfix Hi, On 10:56 Sat 23 Jul , Timo Sirainen wrote: > Dovecot isn't really compatible with having mbox files being 0660 mode > and having a shared (mail-)group. If the mode can't be changed to > 0600, I don't think there's much that can be done now. I think it'll >

Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2016-07-23 Thread Timo Sirainen
On 23 Jul 2016, at 02:28, Apollon Oikonomopoulos wrote: > > Hi, > > On 18:05 Fri 22 Jul , Timo Sirainen wrote: >> That would be a dangerous change. Users with shell access could >> symlink (or hardlink) other peoples' inboxes to their own folders and >> read them. > >

Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2016-07-23 Thread Apollon Oikonomopoulos
Hi, On 18:05 Fri 22 Jul , Timo Sirainen wrote: > That would be a dangerous change. Users with shell access could > symlink (or hardlink) other peoples' inboxes to their own folders and > read them. IIUC, a more secure approach here would be to set mail_privileged_group to 'mail' and leave

Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2016-07-22 Thread Jaldhar H. Vyas
On Fri, 22 Jul 2016, Timo Sirainen wrote: That would be a dangerous change. Users with shell access could symlink (or hardlink) other peoples' inboxes to their own folders and read them. Given that users in Debian are not members of group mail is it still a risk? -- Jaldhar H. Vyas

Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2016-07-22 Thread Timo Sirainen
That would be a dangerous change. Users with shell access could symlink (or hardlink) other peoples' inboxes to their own folders and read them. > Francois Gouget kirjoitti 13.5.2016 kello 13.49: > > Package: dovecot-core > Version: 1:2.2.23-1 > Severity: normal > > On Debian

Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2016-07-22 Thread Jaldhar H. Vyas
tag 824212 +pending thanks On Fri, 13 May 2016, Francois Gouget wrote: The fix is to set 'mail_access_groups = mail' in /etc/dovecot/conf.d/10-mail.conf, which should be the default for the Debian package. I just wanted to let you know this change has been made and will appear in our next

Bug#824212: dovecot-core: mail_access_groups must be set on Debian

2016-05-13 Thread Francois Gouget
Package: dovecot-core Version: 1:2.2.23-1 Severity: normal On Debian the mail inboxes belong to the mail group as per the SystemGroups policy: https://wiki.debian.org/SystemGroups | * mail: Mailboxes in /var/mail are owned by group mail, as explained | in policy. The user and group are used