[Dovecot] convert plugin fails - drops root privileges then tries to create file in /
Mikel Ward
mikel at mikelward.com
Thu Jan 17 05:38:01 EET 2008
Hi
I just tried to run the convert plugin as described at
http://wiki.dovecot.org/Plugins/Convert
(except with mail_location = maildir:~/Mail)
It fails with an error message:
�Eopen(/.temp.falcon.endbracket.net.18618.8d5e0a038da6cf06) failed:
Permission denied
Error: imap dump-capability process returned 89
It looks like Dovecot execs /usr/libexec/dovecot/imap, which drops root
privileges (probably via get_imap_capability), then
loads /usr/lib/dovecot/imap/lib01_convert_plugin.so, which tries to
create a file in the root directory, which it obviously won't have write
privileges on.
I'm running dovecot-1.0-1.2.rc15.el5 on CentOS 5.
If I change the paths from ~ to /home/%u, I get this error message:
�Emkdir_parents(/home/dump-capability/mail) failed: Permission denied
-------------- next part --------------
execve("/usr/sbin/dovecot", ["/usr/sbin/dovecot"], [/* 16 vars */]) = 0
brk(0) = 0x8d46000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=21917, ...}) = 0
mmap2(NULL, 21917, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f22000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000_\227\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1589908, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f21000
mmap2(0x960000, 1308068, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x960000
mmap2(0xa9a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13a) = 0xa9a000
mmap2(0xa9d000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xa9d000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f20000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f206c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xa9a000, 8192, PROT_READ) = 0
mprotect(0x95c000, 4096, PROT_READ) = 0
munmap(0xb7f22000, 21917) = 0
time(NULL) = 1200536192
brk(0) = 0x8d46000
brk(0x8d6f000) = 0x8d6f000
uname({sys="Linux", node="falcon.endbracket.net", ...}) = 0
getpid() = 13747
geteuid32() = 0
open("/etc/dovecot.conf", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=665, ...}) = 0
pread64(3, "## Dovecot 1.0 configuration fil"..., 2048, 0) = 665
pread64(3, "", 1383, 665) = 0
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1696, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f27000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1696
read(3, "", 4096) = 0
close(3) = 0
munmap(0xb7f27000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=21917, ...}) = 0
mmap2(NULL, 21917, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f22000
close(3) = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\30\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=46680, ...}) = 0
mmap2(NULL, 41616, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x8c2000
mmap2(0x8cb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8) = 0x8cb000
close(3) = 0
mprotect(0x8cb000, 4096, PROT_READ) = 0
munmap(0xb7f22000, 21917) = 0
open("/etc/passwd", O_RDONLY) = 3
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1759, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f27000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1759
close(3) = 0
munmap(0xb7f27000, 4096) = 0
access("/usr/libexec/dovecot/imap", X_OK) = 0
access("/etc/dovecot/ssl/mail.endbracket.net.crt", R_OK) = 0
access("/etc/dovecot/ssl/mail.endbracket.net.key", R_OK) = 0
mkdir("/var/run/dovecot/", 0777) = -1 EEXIST (File exists)
stat64("/var/run/dovecot/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
mkdir("/var/lib/dovecot", 0750) = -1 EEXIST (File exists)
lstat64("/var/run/dovecot/login", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
open("/var/run/dovecot/login", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
close(3) = 0
lstat64("/var/run/dovecot/login", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
open("/var/run/dovecot/login", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
fstat64(3, {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
getdents64(3, /* 3 entries */, 4096) = 88
lstat64("/var/run/dovecot/login/ssl-parameters.dat", {st_mode=S_IFREG|0644, st_size=230, ...}) = 0
getdents64(3, /* 0 entries */, 4096) = 0
close(3) = 0
access("/usr/libexec/dovecot/imap-login", X_OK) = 0
access("/usr/lib/dovecot/imap", R_OK|X_OK) = 0
geteuid32() = 0
pipe([3, 4]) = 0
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
dup(2) = 5
fcntl64(5, F_GETFD) = 0
fcntl64(5, F_SETFD, FD_CLOEXEC) = 0
clone(Process 13748 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f20708) = 13748
[pid 13747] close(5) = 0
[pid 13747] close(4) = 0
[pid 13747] alarm(5) = 0
[pid 13747] wait4(-1, Process 13747 suspended
<unfinished ...>
[pid 13748] dup2(0, 0) = 0
[pid 13748] dup2(4, 1) = 1
[pid 13748] dup2(5, 2) = 2
[pid 13748] fcntl64(0, F_GETFD) = 0
[pid 13748] fcntl64(0, F_SETFD, 0) = 0
[pid 13748] fcntl64(1, F_GETFD) = 0
[pid 13748] fcntl64(1, F_SETFD, 0) = 0
[pid 13748] fcntl64(2, F_GETFD) = 0
[pid 13748] fcntl64(2, F_SETFD, 0) = 0
[pid 13748] setrlimit(RLIMIT_DATA, {rlim_cur=262144*1024, rlim_max=262144*1024}) = 0
[pid 13748] setrlimit(RLIMIT_AS, {rlim_cur=262144*1024, rlim_max=262144*1024}) = 0
[pid 13748] chdir("/tmp") = 0
[pid 13748] umask(077) = 022
[pid 13748] execve("/usr/libexec/dovecot/imap", ["imap"...], [/* 36 vars */]) = 0
[pid 13748] brk(0) = 0xa079000
[pid 13748] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 13748] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 13748] fstat64(3, {st_mode=S_IFREG|0644, st_size=21917, ...}) = 0
[pid 13748] mmap2(NULL, 21917, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f69000
[pid 13748] close(3) = 0
[pid 13748] open("/lib/libdl.so.2", O_RDONLY) = 3
[pid 13748] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P*\252\0004\0\0\0"..., 512) = 512
[pid 13748] fstat64(3, {st_mode=S_IFREG|0755, st_size=16428, ...}) = 0
[pid 13748] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f68000
[pid 13748] mmap2(0xaa2000, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xaa2000
[pid 13748] mmap2(0xaa4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xaa4000
[pid 13748] close(3) = 0
[pid 13748] open("/lib/libc.so.6", O_RDONLY) = 3
[pid 13748] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000_\227\0004\0\0\0"..., 512) = 512
[pid 13748] fstat64(3, {st_mode=S_IFREG|0755, st_size=1589908, ...}) = 0
[pid 13748] mmap2(0x960000, 1308068, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x960000
[pid 13748] mmap2(0xa9a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13a) = 0xa9a000
[pid 13748] mmap2(0xa9d000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xa9d000
[pid 13748] close(3) = 0
[pid 13748] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f67000
[pid 13748] set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f676c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
[pid 13748] mprotect(0xaa4000, 4096, PROT_READ) = 0
[pid 13748] mprotect(0xa9a000, 8192, PROT_READ) = 0
[pid 13748] mprotect(0x95c000, 4096, PROT_READ) = 0
[pid 13748] munmap(0xb7f69000, 21917) = 0
[pid 13748] time(NULL) = 1200536192
[pid 13748] brk(0) = 0xa079000
[pid 13748] brk(0xa0a2000) = 0xa0a2000
[pid 13748] uname({sys="Linux", node="falcon.endbracket.net", ...}) = 0
[pid 13748] getpid() = 13748
[pid 13748] open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
[pid 13748] read(3, "J1\272v", 4) = 4
[pid 13748] fcntl64(3, F_GETFD) = 0
[pid 13748] fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
[pid 13748] getgid32() = 0
[pid 13748] setgid32(65534) = 0
[pid 13748] setgroups32(1, [65534]) = 0
[pid 13748] setuid32(65534) = 0
[pid 13748] setuid32(0) = -1 EPERM (Operation not permitted)
[pid 13748] getgid32() = 65534
[pid 13748] getegid32() = 65534
[pid 13748] setgid32(0) = -1 EPERM (Operation not permitted)
[pid 13748] gettimeofday({1200536192, 452271}, {4294966636, 0}) = 0
[pid 13748] pipe([4, 5]) = 0
[pid 13748] fcntl64(4, F_GETFL) = 0 (flags O_RDONLY)
[pid 13748] fcntl64(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
[pid 13748] fcntl64(5, F_GETFL) = 0x1 (flags O_WRONLY)
[pid 13748] fcntl64(5, F_SETFL, O_WRONLY|O_NONBLOCK) = 0
[pid 13748] fcntl64(4, F_GETFD) = 0
[pid 13748] fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
[pid 13748] fcntl64(5, F_GETFD) = 0
[pid 13748] fcntl64(5, F_SETFD, FD_CLOEXEC) = 0
[pid 13748] rt_sigaction(SIGIO, {SIG_IGN}, {SIG_DFL}, 8) = 0
[pid 13748] rt_sigaction(SIGRT_2, {0x80b8190, [], SA_RESTART|SA_NOMASK|SA_SIGINFO}, NULL, 8) = 0
[pid 13748] rt_sigaction(SIGINT, {0x80b8fe0, [], 0}, NULL, 8) = 0
[pid 13748] pipe([6, 7]) = 0
[pid 13748] fcntl64(6, F_GETFD) = 0
[pid 13748] fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
[pid 13748] fcntl64(7, F_GETFD) = 0
[pid 13748] fcntl64(7, F_SETFD, FD_CLOEXEC) = 0
[pid 13748] rt_sigaction(SIGTERM, {0x80b8fe0, [], 0}, NULL, 8) = 0
[pid 13748] rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
[pid 13748] rt_sigaction(SIGALRM, {0x80b8ad0, [], 0}, NULL, 8) = 0
[pid 13748] open("/usr/lib/dovecot/imap", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 8
[pid 13748] fstat64(8, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid 13748] fcntl64(8, F_SETFD, FD_CLOEXEC) = 0
[pid 13748] getdents64(8, /* 12 entries */, 4096) = 496
[pid 13748] getdents64(8, /* 0 entries */, 4096) = 0
[pid 13748] open("/usr/lib/dovecot/imap/lib01_convert_plugin.so", O_RDONLY) = 9
[pid 13748] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\r\0\0004\0\0\0"..., 512) = 512
[pid 13748] fstat64(9, {st_mode=S_IFREG|0755, st_size=7960, ...}) = 0
[pid 13748] mmap2(NULL, 10768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = 0x110000
[pid 13748] mmap2(0x112000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 9, 0x1) = 0x112000
[pid 13748] close(9) = 0
[pid 13748] lstat64("~/mail", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
[pid 13748] time(NULL) = 1200536192
[pid 13748] lstat64("/.dovecot.convert.lock", 0xbf87cf70) = -1 ENOENT (No such file or directory)
[pid 13748] stat64("/.temp.falcon.endbracket.net.13748.5505b65e9fad1c45", 0xbf87cf70) = -1 ENOENT (No such file or directory)
[pid 13748] open("/.temp.falcon.endbracket.net.13748.5505b65e9fad1c45", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0666) = -1 EACCES (Permission denied)
[pid 13748] write(2, "\1Eopen(/.temp.falcon.endbracket."..., 86�Eopen(/.temp.falcon.endbracket.net.13748.5505b65e9fad1c45) failed: Permission denied
) = 86
[pid 13748] exit_group(89) = ?
Process 13747 resumed
Process 13748 detached
<... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 89}], 0, NULL) = 13748
--- SIGCHLD (Child exited) @ 0 (0) ---
alarm(0) = 5
close(3) = 0
write(2, "Error: ", 7Error: ) = 7
write(2, "imap dump-capability process ret"..., 40imap dump-capability process returned 89) = 40
write(2, "\n", 1
) = 1
exit_group(89) = ?
More information about the dovecot
mailing list