On Sat, 2007-10-27 at 17:42 -0400, Adam McDougall wrote:
> If you don't need the other groups in Dovecot you can get rid of them and
> just have the process use the user's primary group and mail_extra_groups.
> I
> think this should work:
>
> userdb passwd {
> args = system_user=
> }
>
> Actually, yes I like this alot and put this change into production. I was
> planning on using some secondary groups to prevent filesystem access, but
> I can accomplish the same protection easier with this and mail_extra_groups.
> Thanks! I didn't test yet that the secondary groups aren't loaded but I
> will
> sometime.
>
> According to my logs, it seems it does not prevent the secondary groups.
> I'd look at the code to see how it works, but I have to switch tasks and
> may not work more with dovecot until tomorrow. I suppose if I cannot get
> this to work, it sounds like I may be able to depend on the patch below.
Looks like it overrides the system_user with empty value and Dovecot
ends up calling initgroups(""). I'm not sure what that does, if
anything. This fixes it: http://hg.dovecot.org/dovecot/rev/7f2501b3e993
> >> With some recent permission changes I've
> >> done (affects dovecot 1.0 as well), I get a good amount of these fchown
> >> errors
> >> and I was thinking of muting them so they do not fill my log, since they
> >> are harmless
> >> in my setup.
>
> If these errors happen for index files Dovecot currently fallbacks to
> using
> in-memory indexes.
>
> Oh. Ugh. That might explain why the indexes don't always seem to load.
> For some reason I thought dovecot might print a message when it falls back
> to in-memory indexes; would that be possible?
Possible yes, but I'm not sure if it's a good idea. Users with
filesystem quotas probably wouldn't want to see them. It's anyway done
silently only when write fails because of ENOSPC/EDQUOT, in other cases
some error is always logged.
signature.asc
Description: This is a digitally signed message part
