[Dovecot] 2.2.4 - quota-status changing the user it is running as

[Axel Luttgens]

Le 30 juil. 2013 à 20:36, Axel Luttgens a écrit :

> [...]
> Do you really mean "either", not "both"? I ask, because those patches seem to intervene at quite different levels (but I guess I'll have, one day or another, to get more acquainted with Dovecot's coding, so as not to come with such silly questions...).
> [...]

So, even if I could only test a unique mail uid/gid (i.e. dovemailer/dovemailer) kind of setup, I've applied both patches so as to verify they don't enter in conflict.

Seems to be fine now with my initial attempt:

	service quota-status {
		client_limit = 1
		executable = quota-status -p postfix
		unix_listener /var/spool/postfix/private/quota-policyd {
			user = postfix
		}
	}

as far as the switch from root to dovemailer is concerned: the service doesn't complain anymore about not being able to access the config.

On the other hand, trying to run the service as another user:

	service quota-status {
		client_limit = 1
		executable = quota-status -p postfix
		user = dovemailer
		group = dovemailer
		unix_listener /var/spool/postfix/private/quota-policyd {
			user = postfix
		}
	}

unfortunately still requires to relax the permissions on the config unix socket:

	service config {
		unix_listener config {
			group = dovemailer
			mode = 0660
		}
	}

so as to avoid such immediate failures:

	quota-status: Fatal: Error reading configuration: net_connect_unix(/_ROOT/var/run/dovecot/config) failed: Permission denied
	master: Error: service(quota-status): command startup failed, throttling for 2 secs

But now a failure, very likely related to patch 2470bb9106b0, occurs at the first query:

	quota-status: Fatal: seteuid(0) failed: Operation not permitted

Perhaps am I missing some needed setting in the case of that second config?

Axel