diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index c683a8a..771dedd 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -104,6 +104,9 @@ let chmod 755 "${passwdDir}" fi + # Prevent world-readable password files, even temporarily. + umask 077 + for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do if [ ! -f "$f" ]; then echo "Expected password hash file $f does not exist!" @@ -125,9 +128,6 @@ let else "") ) cfg.loginAccounts)} EOF - - chmod 600 ${passwdFile} - chmod 600 ${userdbFile} ''; junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes); diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix index 0fdcf90..2c7f8ee 100644 --- a/mail-server/systemd.nix +++ b/mail-server/systemd.nix @@ -64,6 +64,8 @@ in in '' # Create mail directory and set permissions. See # . + # Prevent world-readable paths, even temporarily. + umask 007 mkdir -p ${directories} chgrp "${vmailGroupName}" ${directories} chmod 02770 ${directories} diff --git a/mail-server/users.nix b/mail-server/users.nix index 916ec0c..17196fc 100644 --- a/mail-server/users.nix +++ b/mail-server/users.nix @@ -34,6 +34,9 @@ let set -euo pipefail + # Prevent world-readable paths, even temporarily. + umask 007 + # Create directory to store user sieve scripts if it doesn't exist if (! test -d "${sieveDirectory}"); then mkdir "${sieveDirectory}"