On Wed, 2011-09-14 at 13:57 +0200, Lutz Preßler wrote: > On Mi, 14 Sep 2011, Timo Sirainen wrote: > > > On 14.9.2011, at 14.40, Lutz Preßler wrote: > > > > > with imapc settings coming from userdb (individual configuration > > > necessary) > > > there exists a security problem if access to auth-userdb socket is given > > > to normal (shell) users: > > > > So don't give it to them? :) Actually this should be pretty much solved > > with v2.1 defaults. If the auth-userdb socket is 0666 root:root (default > > now), it requires that the calling process either has root user/group > > privileges or its uid matches the one returned by userdb, otherwise it > > won't return any fields. > I had to change that because of shared mailboxes and usage of %%h. > Maybe one could return only home if uid does not match?
Well, you could also solve it by making it 0660 with group=dovecot and then set mail_access_groups=dovecot.
