Back in late March I asked what ownership and permissions Dovecot's own
directories and files should have; I have an obsessive nature, and
wanted to get things right :(.. On April Fool's Day :), Timo responded:
Dovecot opens pretty much all the configuration etc. files as root
before dropping the privileges. So in general they could all be 0600
owned by root
In my typical turtle-crawl fashion, I got around to today, but the
onership/perms came out somewhat differently, which I put down here for
anyone that wants to know.........
I set everything under /var/run/dovecot to 600, owned by root:dovecot
4242 root@mercury:/var/run/dovecot ## ls -alR
total 24
drw------- 3 root dovecot 512 Mar 06 15:27 ./
drwxr-xr-x 3 root system 512 Apr 18 2006 ../
drw------- 2 root dovecot 512 May 09 10:37 login/
./login:
total 24
drw------- 2 root dovecot 512 May 09 10:37 ./
drw------- 3 root dovecot 512 Mar 06 15:27 ../
srw------- 1 root dovecot 0 May 09 10:37 default=
-rw------- 1 root dovecot 230 May 09 10:36 ssl-parameters.dat
And restarted dovecot
4243 root@mercury:/var/run/dovecot ## dovecot
but apparently /var/run/dovecot/login should be 750, but DC dealt with
that automagically
Warning: Corrected permissions for login directory /var/run/dovecot/login
4244 root@mercury:/var/run/dovecot ## ls -alR
total 24
drw------- 3 root dovecot 512 Mar 06 15:27 ./
drwxr-xr-x 3 root system 512 Apr 18 2006 ../
drwxr-x--- 2 root dovecot 512 May 10 12:47 login/
./login:
total 24
drwxr-x--- 2 root dovecot 512 May 10 12:47 ./
drw------- 3 root dovecot 512 Mar 06 15:27 ../
srwxrwxrwx 1 root dovecot 0 May 10 12:47 default=
-rw------- 1 root dovecot 230 May 09 10:36 ssl-parameters.dat
...but then got in the syslog
May 10 12:49:51 mercury mail:err|error dovecot: imap-login: Can't open SSL param
eter file ssl-parameters.dat: Permission denied
May 10 12:49:51 mercury mail:err|error dovecot: child 1380384 (login) returned error 89
So I made it 640 which seems to do.
4246 root@mercury:/var/run/dovecot ## chmod 640 login/ssl-parameters.dat
4247 root@mercury:/var/run/dovecot ## ls -alR login
total 24
drwxr-x--- 2 root dovecot 512 May 10 12:47 ./
drw------- 3 root dovecot 512 Mar 06 15:27 ../
srwxrwxrwx 1 root dovecot 0 May 10 12:47 default=
-rw-r----- 1 root dovecot 230 May 09 10:36 ssl-parameters.dat
So it seems this will do (for others who obsess over things small)::
a) /var/run/dovecot can be 600, root:dovecot
b) /var/run/dovecot/login should be 750, root:dovecot
c) /var/run/dovecot/login/ssl-parameters.dat might be 640, root: dovecot
--
Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York 12504
sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035