From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 564E96DE0229 for ; Thu, 8 Feb 2018 18:00:54 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.021 X-Spam-Level: X-Spam-Status: No, score=-0.021 tagged_above=-999 required=5 tests=[AWL=-0.021] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8AbcWHNuLSOt for ; Thu, 8 Feb 2018 18:00:53 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id B04796DE0219 for ; Thu, 8 Feb 2018 18:00:53 -0800 (PST) Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id EE260F99A for ; Thu, 8 Feb 2018 21:00:52 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 75369201CD; Thu, 8 Feb 2018 21:00:50 -0500 (EST) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: Re: [PATCH v2] cli/insert: new message file can be world-readable (rely on umask) In-Reply-To: <87k1vnuehz.fsf@fifthhorseman.net> References: <20180205225920.GL1824@hili.localdomain> <20180206194356.28438-1-dkg@fifthhorseman.net> <87k1vnuehz.fsf@fifthhorseman.net> Date: Thu, 08 Feb 2018 21:00:46 -0500 Message-ID: <87h8qqvs4x.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2018 02:00:54 -0000 --=-=-= Content-Type: text/plain On Thu 2018-02-08 20:40:40 -0500, Daniel Kahn Gillmor wrote: > postfix's local delivery agent has apparently been delivering with mode > 0600 for nearly 20 years: > > https://github.com/vdukhovni/postfix/blame/master/postfix/src/local/maildir.c#L188 and even postfix's master process (the one capable of spawning the local delivery agent, which is ultimately responsible for dropping privileges to the local user to execute commands in ~/.forward) starts off with a umask(077): https://github.com/vdukhovni/postfix/blame/master/postfix/src/master/master.c#L278 this makes it pretty difficult to attempt safe simple world-readable mail delivery through the MUA :( Anyway, this is not on the critical path for me. For the purposes of mail delivery to the mailing list archive, i'm now considering just writing a wrapper script around "notmuch insert" that (as the local user) chmod on the files that are delivered with overly-restrictive permissions. This makes me nervous, because chmods are tricky to do safely, especially in an automated fashion, but given the tight permissions we're seeing during message delivery at the moment, this is the simplest option. Another option would be to write a mailman3 plugin that delivers to notmuch, but that's a bigger task than i'm willing to take on right now. I welcome other suggestions though! --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzicvlOwymaWlnoHjyu+ogyFnUzMFAlp9AM4ACgkQyu+ogyFn UzMMiQ/+LYPFtGpwMap6VYktDIYRDC9jyWKo2sbrxGyLZNv9GU/G18i5laTJCM1n 3C8R3teI1UV2tIDo/dWjMUg4UAVPvd5YyvLIE74ymtjwD6O5w0FAl/+YYdBzEUK1 9GMRE6uOIeSfQMWokca1p4dtD1MkjBlknQZVTIFSMSEbulKgyd7JgMBDg/TY3ci9 sbCn1NbsE6ld/frm7xs2OHIK/abKsSRwWPEHFrwMK6yOj75TwXPgAAigk4ghUJW6 JdC8b0KrpvvZK2XuqKQmOpw1qt3N20q3QwNzivBe1Y32Yg54Ss41BB7N45oHPMzb 6Dait6ReB9f3IFqETCrEWOxaVUgsMz00gvaolNFf8EeeahBRIjchA/56o/FaXCR3 DzSotDA9xr+kJACflinIwZq1vsFEmPxdhyhfOfmPt5FJIFZM4dwlisQ6m/afdvfx +41+rTjkEtxNk1DR6/9zA55ZL+ThpfDoRfg80em4zT2DR+Gll5Z795WUq6ZPKVVf 9N+H+gjY/lOeoVWJEt2lEn4ImRUBPalZhQe5bZ9IQHWHpH9R5CiFWgJhb5sMdvsk WrgWZERSXHB6eJgtnzj8zRwPOPIdPdauaDHFjfs269ueWSltaYX+kfjrpLu4WmNe eqWlKuipTaqtwAzh8Nl1d6DLsKgCWMvcYVxe3s1XAeMAj2bK5bI= =WsVz -----END PGP SIGNATURE----- --=-=-=--