If you don't need the other groups in Dovecot you can get rid of them and
just have the process use the user's primary group and mail_extra_groups. I
think this should work:
userdb passwd {
args = system_user=
}
Actually, yes I like this alot and put this change into production. I was
planning on using some secondary groups to prevent filesystem access, but
I can accomplish the same protection easier with this and mail_extra_groups.
Thanks! I didn't test yet that the secondary groups aren't loaded but I will
sometime.
According to my logs, it seems it does not prevent the secondary groups.
I'd look at the code to see how it works, but I have to switch tasks and
may not work more with dovecot until tomorrow. I suppose if I cannot get
this to work, it sounds like I may be able to depend on the patch below.
>> With some recent permission changes I've
>> done (affects dovecot 1.0 as well), I get a good amount of these fchown
>> errors
>> and I was thinking of muting them so they do not fill my log, since they
>> are harmless
>> in my setup.
If these errors happen for index files Dovecot currently fallbacks to using
in-memory indexes.
Oh. Ugh. That might explain why the indexes don't always seem to load.
For some reason I thought dovecot might print a message when it falls back
to in-memory indexes; would that be possible?
>> Right now in my public folder permission scheme, the only thing I need
>> dovecot-shared for (I think) is making client-added emails world-readable
>> at least
>> (currently actually mode 666). As long as the indexes are accessible by
>> the user,
>> I don't care what mode or group they are.
How about this: http://hg.dovecot.org/dovecot/rev/0dd9b91fd52c
I will roll that in and test alongside the next patch you sent. Thanks.
