On Thu, 2009-11-19 at 14:25 -0500, Frank Cusack wrote: > If /var/run/dovecot does not exist when dovecot starts up (e.g. required > when /var/run is a tmpfs/ramfs), it creates it. But it creates it with > the wrong file mode -- the directory is mode 777. Being world writable > means any user could change the name of any file within the directory, > including the login directory, and then create their own new login > directory. Or remove the pid file, or perhaps cause other types of havoc.
Interesting. This bug had existed in probably all v1.2 versions, but I noticed and fixed it about an hour before seeing your email. Sometimes it seems like this happens a bit too often, an old bug gets noticed by multiple people very close to each others. :) Anyway, here's the fix: http://hg.dovecot.org/dovecot-1.2/rev/3ebbccdc05e6 (v1.0 and v1.1 were actually also creating it with 0777, but they immediately chmoded it back to 0755. That's why when I removed the chmod code that was only for backwards compatibility it broke.)
signature.asc
Description: This is a digitally signed message part
