> It is hard to guess what you need from the scarce information you
> provide.
I'm sorry... On hindsight, that was _very_ little information.
I'm running 5.0, with postfix as an MTA, delivering mail for two virtual
domains (maildir). Courier is used for IMAP, and runs as vmail:vmail.
> Can you show the output of
> # ls -al /var/mail
$ ls -l /var/mail
total 2148
-rw------- 1 root wheel 1076477 Jan 14 16:13 root
drwx------ 4 vmail vmail 512 Dec 5 00:33 vmail
-rw------- 1 zeloff users 0 Jan 10 2011 zeloff
Inside /var/mail/vmail is a folder of each of the virtual domains, and
inside that one for every user, etc. Every thing from here on down has
either 700 (folders) or 600 (files) permissions.
> on the machine in question, and the exact messages you see in your
> daily security emails?
Running security(8):
Checking mailbox ownership. user vmail mailbox is
drwx------, group vmail
If I chmod 600 /var/mail/vmail, security(8) runs clean, so its the
executable bit that's causing the trouble, but unsetting it is not an
option for the obvious reasons.
Relocating the whole thing is most probably the best idea, but is there
anything wrong with this patch I came up with?
--- /usr/libexec/security Mon Apr 16 10:43:36 2012
+++ security Mon Apr 16 11:43:20 2012
@@ -457,7 +457,7 @@
my $gname = (getgrgid $fgid)[0] // $fgid;
nag $fname ne $name,
"user $name mailbox is owned by $fname";
- nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
+ nag S_IMODE($mode) != (S_IRUSR | S_IWUSR |
+ (S_ISDIR(S_IFMT($mode)) && S_IXUSR) ),
sprintf 'user %s mailbox is %s, group %s',
$name, strmode($mode), $gname; }
I have no proper perl skills whatsoever, but I tested it on a few files
with different permissions and it appears to work properly...
So, what's the verdict? Should maildirs be kept out of /var/mail
altogether, or is patching security(8) a viable alternative?
Many thanks
Ze (with an acute-accented 'e', damn encodings...)
