Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Subject: Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Date: Thu, 08 Feb 2018 20:40:40 -0500

To: Notmuch Mail


From: Daniel Kahn Gillmor

On Tue 2018-02-06 14:43:56 -0500, Daniel Kahn Gillmor wrote:
> There are legitimate cases (public archives) where a user might
> actually want their archive to be readable to the world.
> "notmuch insert" historically used mode 0600 (unreadable by group or
> other), but that choice doesn't appear to have been specifically
> justified (perhaps an abundance of caution?).
> This patch also adjusts the default mode used for --create-folder, to
> be mode 0755 before the application of the umask.
> If the user wants "notmuch insert" to create files or folders that are
> not readable by group or other, they can set their umask more
> restrictively.

I'm now having second thoughts about this.

postfix's local delivery agent has apparently been delivering with mode
0600 for nearly 20 years:
And dovecot's lda defaults to 0600 on delivery:

So maybe there's something i don't know about why a delivery agent would
want to have this restrictive mask?

Perhaps a better way to fix this is with a new option to notmuch insert.

on IRC, bremner suggests something flexible like --mode=0600

I'm more inclined to keep it simpler and more usable (most people don't
know octal, let alone unix permissions bits) and just have a boolean
--world-readable which defaults to false (and switches between modes
0600 and 0644 for files, and 0700 and 0755 for directories).

Any thoughts?

signature.asc (application/pgp-signature)
notmuch mailing list