[dovecot/core] 366813: master: Add default_internal_group setting, defaul...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/dovecot/core
  Commit: 36681376ffc13916cb0dd42ea9d01f9b1d936783
      https://github.com/dovecot/core/commit/36681376ffc13916cb0dd42ea9d01f9b1d936783
  Author: Timo Sirainen <timo.sirainen at dovecot.fi>
  Date:   2018-02-09 (Fri, 09 Feb 2018)

  Changed paths:
    M src/master/master-settings.c
    M src/master/master-settings.h

  Log Message:
  -----------
  master: Add default_internal_group setting, defaulting to "dovecot"

It's expected that this is the primary group of the default_internal_user.

This group will be used to provide access to sockets that are generally
required by all Dovecot processes, but aren't safe enough to be allowed
completely open access from untrusted processes.


  Commit: 473da735fa1d3c763821e6248d72f79d19d9dada
      https://github.com/dovecot/core/commit/473da735fa1d3c763821e6248d72f79d19d9dada
  Author: Timo Sirainen <timo.sirainen at dovecot.fi>
  Date:   2018-02-09 (Fri, 09 Feb 2018)

  Changed paths:
    M src/dict/dict-settings.c

  Log Message:
  -----------
  dict: Change dict and dict-async default socket permissions to allow default_internal_group

Many mail processes need to talk to dict. This makes it easier to enable
dict without having to configure permissions.


  Commit: 49568744a836768dc6c76db837130b7966c5ff38
      https://github.com/dovecot/core/commit/49568744a836768dc6c76db837130b7966c5ff38
  Author: Timo Sirainen <timo.sirainen at dovecot.fi>
  Date:   2018-02-09 (Fri, 09 Feb 2018)

  Changed paths:
    M src/stats/stats-settings.c

  Log Message:
  -----------
  stats: Change stats-writer default socket permissions to allow default_internal_group

It's important that all dovecot processes can send statistics to the stats
process.


  Commit: d522857ef0d25f424cd97323f06003eea2cb877a
      https://github.com/dovecot/core/commit/d522857ef0d25f424cd97323f06003eea2cb877a
  Author: Timo Sirainen <timo.sirainen at dovecot.fi>
  Date:   2018-02-09 (Fri, 09 Feb 2018)

  Changed paths:
    M src/imap-hibernate/imap-hibernate-settings.c

  Log Message:
  -----------
  imap-hibernate: Change imap-hibernate default socket permissions to allow default_internal_group

It would be enough to allow only imap processes access to it, but it
shouldn't really harm to allow other processes access to it also.


  Commit: c3d001b0dcb288093afd28a3bec20c62b734e863
      https://github.com/dovecot/core/commit/c3d001b0dcb288093afd28a3bec20c62b734e863
  Author: Timo Sirainen <timo.sirainen at dovecot.fi>
  Date:   2018-02-09 (Fri, 09 Feb 2018)

  Changed paths:
    M src/lib/restrict-access.c

  Log Message:
  -----------
  lib: restrict_access_by_env() - Preserve RESTRICT_SETEXTRAGROUPS if root isn't dropped

This way service { extra_groups } is preserved for the whole duration of the
process lifetime (e.g. lmtp, doveadm)


  Commit: d7952621661d9a9102393d27d061dad3d22083fd
      https://github.com/dovecot/core/commit/d7952621661d9a9102393d27d061dad3d22083fd
  Author: Timo Sirainen <timo.sirainen at dovecot.fi>
  Date:   2018-02-09 (Fri, 09 Feb 2018)

  Changed paths:
    M src/doveadm/doveadm-settings.c
    M src/imap-urlauth/imap-urlauth-worker-settings.c
    M src/imap/imap-settings.c
    M src/indexer/indexer-worker-settings.c
    M src/lmtp/lmtp-settings.c
    M src/pop3/pop3-settings.c
    M src/submission/submission-settings.c

  Log Message:
  -----------
  global: Set extra_groups=$default_internal_group for various services

Services with user=$default_internal_user are expected to already set the
group properly. This change is adding the group for mail processes.


Compare: https://github.com/dovecot/core/compare/c8177e49ca88...d7952621661d