mbox: If INBOX creation fails because of EACCES, try with privileged group

enabled.

--HG--
branch : HEAD

diff --git a/dovecot-example.conf b/dovecot-example.conf
index b9c07d4e2cedff80e0ad6fbdfd77c253d2d719c4..e9a2e40bb96160bccc52ab9fe0dd4b72fb37a704 100644 (file)
--- a/dovecot-example.conf
+++ b/dovecot-example.conf
@@ -270,7 +270,7 @@
 #mail_gid =
 
 # Group to enable temporarily for privileged operations. Currently this is
-# used only for creating mbox dotlock files when creation fails for INBOX.
+# used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
 #mail_privileged_group =
 

diff --git a/src/lib-storage/index/mbox/mbox-storage.c b/src/lib-storage/index/mbox/mbox-storage.c
index 04061392a35cb8de8aaa944c83527d02ee85b7b1..3b2b0189cf051540e29ef877d1a101ac956e82c3 100644 (file)
--- a/src/lib-storage/index/mbox/mbox-storage.c
+++ b/src/lib-storage/index/mbox/mbox-storage.c
@@ -4,6 +4,7 @@
 #include "ioloop.h"
 #include "array.h"
 #include "istream.h"
+#include "restrict-access.h"
 #include "mkdir-parents.h"
 #include "unlink-directory.h"
 #include "home-expand.h"
@@ -472,6 +473,12 @@ static int verify_inbox(struct mail_storage *storage)
 
        /* make sure inbox file itself exists */
        fd = open(inbox_path, O_RDWR | O_CREAT | O_EXCL, 0660);
+       if (fd == -1 && errno == EACCES) {
+               /* try again with increased privileges */
+               (void)restrict_access_use_priv_gid();
+               fd = open(inbox_path, O_RDWR | O_CREAT | O_EXCL, 0660);
+               restrict_access_drop_priv_gid();
+       }
        if (fd != -1)
                (void)close(fd);
        else if (errno == ENOTDIR &&