[PATCH v2] cli/insert: new message file can be world-readable (rely on umask)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Feb 8 18:00:46 PST 2018
On Thu 2018-02-08 20:40:40 -0500, Daniel Kahn Gillmor wrote:
> postfix's local delivery agent has apparently been delivering with mode
> 0600 for nearly 20 years:
>
> https://github.com/vdukhovni/postfix/blame/master/postfix/src/local/maildir.c#L188
and even postfix's master process (the one capable of spawning the local
delivery agent, which is ultimately responsible for dropping privileges
to the local user to execute commands in ~/.forward) starts off with a
umask(077):
https://github.com/vdukhovni/postfix/blame/master/postfix/src/master/master.c#L278
this makes it pretty difficult to attempt safe simple world-readable
mail delivery through the MUA :(
Anyway, this is not on the critical path for me. For the purposes of
mail delivery to the mailing list archive, i'm now considering just
writing a wrapper script around "notmuch insert" that (as the local
user) chmod on the files that are delivered with overly-restrictive
permissions.
This makes me nervous, because chmods are tricky to do safely,
especially in an automated fashion, but given the tight permissions
we're seeing during message delivery at the moment, this is the simplest
option.
Another option would be to write a mailman3 plugin that delivers to
notmuch, but that's a bigger task than i'm willing to take on right now.
I welcome other suggestions though!
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20180208/7bad148c/attachment.sig>
More information about the notmuch
mailing list