Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1199 to the following vulnerability:
Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
Upstream patch referenced also in BugTraq post mentioned in initial comment:
Dovecot packages as shipped in Red Hat Enterprise Linux 4 and 5 and Fedora do
not set mail_extra_groups by default.
User mailboxes are created in /var/(spool/)mail/ directory by default. That
directory is mail-group writable. Permissions on individual mailbox files may
- root mailbox is root:root 600
- user mailbox created by useradd is <user>:mail 660, hence mail group writable
- on RHEL4, mailbox file is created by useradd by default
- on RHEL5, mailbox file is not created by user add by default, but this may
change in future updates of shadow-utils package
(automatic mailbox creation can also be enabled by adding:
to /etc/default/useradd file)
- user mailbox created by procmail / postfix /... is <user>:mail 600 by
If mail_extra_groups option is set to mail, IMAP users who also have shell
access can possibly read, modify or delete inbox files of other users, which are
stored in /var/mail .
- do not set mail_extra_groups to mail
dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Giving this low, as this does not affect default or likely configuration and can
easily be resolved by not setting mail as mail_extra_groups.
This issue was resolved for dovecot packages shipped in Red Hat Enterprise Linux
5 in the following errata:
As mentioned above, this issue did not affect default configuration of any
dovecot version as shipped in Red Hat Enterprise Linux 4 and 5, and Fedora. The
risks associated with fixing this bug in dovecot packages in Red Hat Enterprise
Linux 4 are greater than the low severity security risk. We therefore currently
have no plans to fix this flaw in Red Hat Enterprise Linux 4.