[Dovecot] [PATCH] drop root privileges on solaris, request for testing

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Dec 18 18:03:55 EET 2008 

Andrey Panin wrote:
>> I've applied the patch to Dovecot 1.1.7 (with minor change to
>> configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup
>>
>> dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up
>> dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0)
>> failed: Not owner
>> dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down
>>
>> The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing
>> it dropped too many privileges.
> 
> Can you try running "ppriv -D dovecot" to determine which privilege is missing ?
>  

Difficult as the dovecot master process dies as soon as the dovecot-auth
process ends. I ran a "truss -f" on it though and found:

26409:  setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0400000000000000}) = 0
26409:  setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0400000000000000}) = 0

...

26411:  setgroups(11, 0x0006C290)                       Err#1 EPERM
[proc_setid]
26411:  write(2, "01 F i n i t g r o u p s".., 40)      = 40
26411:  _exit(89)

>From the setgroups manpage:

ERRORS
     The getgroups() and setgroups() functions will fail if:
...
     EPERM           The  {PRIV_PROC_SETID}  privilege   is   not
                     asserted in the effective set of the calling
                     process.

I tried omitting PRIV_PROC_SETID from the list in capabilities-solaris.c
but that doesn't seem to make much difference except

19468:  setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0000000000000000}) = 0
19468:  setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0000000000000000}) = 0

I don't know much about process privileges, but could it be that the
dovecot-auth subprocess isn't inheriting the privileges from the master
process?

I can send you the whole truss files if you like.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the dovecot mailing list