Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Subject: Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Date: Thu, 08 Feb 2018 20:40:40 -0500

To: Notmuch Mail

Cc:

From: Daniel Kahn Gillmor

On Tue 2018-02-06 14:43:56 -0500, Daniel Kahn Gillmor wrote:
> There are legitimate cases (public archives) where a user might
> actually want their archive to be readable to the world.
>
> "notmuch insert" historically used mode 0600 (unreadable by group or
> other), but that choice doesn't appear to have been specifically
> justified (perhaps an abundance of caution?).
>
> This patch also adjusts the default mode used for --create-folder, to
> be mode 0755 before the application of the umask.
>
> If the user wants "notmuch insert" to create files or folders that are
> not readable by group or other, they can set their umask more
> restrictively.

I'm now having second thoughts about this.

postfix's local delivery agent has apparently been delivering with mode
0600 for nearly 20 years:

    https://github.com/vdukhovni/postfix/blame/master/postfix/src/local/maildir.c#L188
    
And dovecot's lda defaults to 0600 on delivery:

    https://sources.debian.org/src/dovecot/1:2.2.33.2-1/src/lib-storage/mail-storage.c/?hl=2591#L2591

So maybe there's something i don't know about why a delivery agent would
want to have this restrictive mask?

Perhaps a better way to fix this is with a new option to notmuch insert.

on IRC, bremner suggests something flexible like --mode=0600

I'm more inclined to keep it simpler and more usable (most people don't
know octal, let alone unix permissions bits) and just have a boolean
--world-readable which defaults to false (and switches between modes
0600 and 0644 for files, and 0700 and 0755 for directories).

Any thoughts?

    --dkg
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Thread: