This one's easy. Users manage their own files and just need to make them readable by www-data, the Apache user.
This one's easy. Users manage their own files and just need to make them readable by www-data, the Apache user.
Individual domain directories are basically extensions of users' home directories, permissions-wise, so again there are no problems.
Users are given ownership of both their primary mailboxes (~/Maildir) and virtual mailboxes (in directory of choice under home directory). We're assuming that Exim and Courier IMAP are robust enough that errors in these mailboxes won't prevent delivery of mail to other mailboxes or prevent others from checking their mail.
We modify the default Mailman set-up in the following ways:
Symlink /var/lib/mailman/[archives|lists] to /home/mailman/[archives|lists], where the real action is.
For a mailing list mylist@mydom.com owned by user me, we create it by running /usr/local/bin/listnew mylist mydom.com me somepasswd, which runs the following for each value of F in /home/mailman/lists/mylist, /home/mailman/archives/private/mylist, and /home/mailman/archives/private/mylist.mbox:
{{{chmod -R g+s F chmod -R g-rwx F chmod -R u-s F chown -R list.me F}}}
In other words, list, the Mailman user, owns the files. They have the human user's group, but this group is given no more permissions than the rest of the world gets. It's only there as a marker for /home group quotas. The directories are setgid, so that new files created belong to the human user's group.
Change the Mailman CGI scripts in /usr/lib/cgi-bin/mailman to be owned by list.list and to be setuid instead of setgid. These scripts already cry bloody murder if run by anyone but www-data, so this use of setuid should be secure. They let the CGI scripts run as the Mailman user itself, since belonging only to Mailman's group is no longer enough to access the list data.
Everyone has write access to the shared folders where misclassified spam and ham should be deposited. This is definitely a security problem if someone wants to train SpamAssassin to mark legitimate and important messages as spam to harrass other users. Also, by copying files directly instead of going through IMAP, users may be able to screw up the folders in some way that impacts others.
The databases of user me live in /home/mysql/me_*. Each of these directories is owned by mysql.me and is symlinked from the usual MySQL database location. There are no write permissions for the group, so me can't modify the database directly in an effort to confuse or crash MySQL; and, of course, all database files are counted towards me's group quota.
The databases of user me live in /home/postgres/me/. We use the new PostgreSQL's "tablespace" mechanism to make this more elegant than the MySQL set-up. Tablespaces are named containers for databases that are associated with particular roots in the filesystem. We give each user his own tablespace, with the usual ownership by his group, setgid, and no group permissions. me can't modify the database directly in an effort to confuse or crash Postgres; and, of course, all database files are counted towards me's group quota.