There is no setgid bit set.
I had to chmod 777 the /website/vuser directory just so that new user
creates would work otherwise when it changes uid to some virtual id such
as 2003, it would not be allowed to create anything in the directory to
begin with no matter who owned it.
Its really problematic because even if end user creates the
/website/vuser/test.com directory ahead of time with correct uid and gid
like postfix seems to need to work, the uids are an autoincrement field
starting at 2002 for each new added user, so you can see how this could be
cumbersome quickly.
The way postfix is currently working only feasible way to do it would be
every virtual user on system share same uid then that parent directory
could be
owned by that user. In that system, every ftp account, imap, pop3, email
account would be owned by same id. I'm almost considering moving to doing
it that way just to avoid these issues with postfix, as I'm really trying
to see any kind of security issues rising from a parent process forking to
the same uid for everything. Only one I can see is if ftp users were not
chrooted to their homedirectory they could go around deleting other users
files. SInce reason I am sharing same gid across all virtual users to
begin with is to chroot ftp users to their home directory, maybe any
security risk may be alleviated.
A correct solution I think however for postfix would be if mkdir fails
with permission denied errors on parent directory, to change uid to root,
create directory and change permissions on it.
I think I may move to sharing same virtual uid and gid for all virtual
users since ftp chroot is only security risk I can see, and if I ever had
to move users to a new system and lost permissions on all directories
would be cumbersome to chown -R each user to respective uid again.
Dan.
On Wed, 1 Dec 2010, Wietse Venema wrote:
Dan:
Gid inherits top level directory GID?
Turn off the SETGID bit in the PARENT directory.
Wietse
