Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Subject: Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Date: Thu, 08 Feb 2018 21:00:46 -0500

To: Notmuch Mail

Cc:

From: Daniel Kahn Gillmor

On Thu 2018-02-08 20:40:40 -0500, Daniel Kahn Gillmor wrote:

> postfix's local delivery agent has apparently been delivering with mode
> 0600 for nearly 20 years:
>
>     https://github.com/vdukhovni/postfix/blame/master/postfix/src/local/maildir.c#L188

and even postfix's master process (the one capable of spawning the local
delivery agent, which is ultimately responsible for dropping privileges
to the local user to execute commands in ~/.forward) starts off with a
umask(077):

    https://github.com/vdukhovni/postfix/blame/master/postfix/src/master/master.c#L278

this makes it pretty difficult to attempt safe simple world-readable
mail delivery through the MUA :(

Anyway, this is not on the critical path for me.  For the purposes of
mail delivery to the mailing list archive, i'm now considering just
writing a wrapper script around "notmuch insert" that (as the local
user) chmod on the files that are delivered with overly-restrictive
permissions.

This makes me nervous, because chmods are tricky to do safely,
especially in an automated fashion, but given the tight permissions
we're seeing during message delivery at the moment, this is the simplest
option.

Another option would be to write a mailman3 plugin that delivers to
notmuch, but that's a bigger task than i'm willing to take on right now.

I welcome other suggestions though!

     --dkg
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Thread: