[Dovecot] misconception in uid and gid
Felix Rubio Dalmau
felixrubiodalmau at gmail.com
Fri Aug 2 10:32:12 EEST 2013
Hi everybody,
I have pasted my configuration in http://snipt.org/AThd4
Then, I understand that the easiest to do is to change the permissions of the socket but... which socket?? Additionally, userdb-auth is showing permissions srw-rw-rw-
Regards!
Felix
On Friday 02 August 2013 08:55:33 you wrote:
> On Thu, 1 Aug 2013, Felix Rubio Dalmau wrote:
>
> > I'm using a SQL database to store the usernames and passwords of my users. However, I have found that I must explicitly return the uid and gid with every query, even though all virtual users use the same uid and gid. The query, that works, is:
> >
> > user_query = SELECT mail, 'vmail' AS uid, 'vmail' AS gid, home, CONCAT('*:storage=', quota_MB*1024) AS quota_rule \
> > FROM virtual_users AS V LEFT JOIN virtual_domains AS D ON V.domain_id=D.id WHERE V.user='%n' AND D.name='%d'
> >
> > Nevertheless, if I remove the segments "'vmail' AS uid, 'vmail' AS gid" and modify the file conf.d/10-mail.conf to show
> >
> > mail_uid = vmail
> > mail_gid = vmail
> >
> > I get this error:
> >
> > dovecot: auth: Error: userdb(<mail>): client doesn't have lookup permissions for this user: userdb reply doesn't contain uid (change userdb socket permissions)
> >
> > Does anybody know what is wrong in my set-up?
>
> Did you posted your setup (aka configuration, dovecot -n) somewhere to
> look at?
>
> You seem to use an elder Dovecot, because newer versions use a more
> descriptive error message, see:
> http://www.dovecot.org/list/dovecot/2012-November/069651.html
>
> Because, first you need to know which socket makes the problem, then you
> can see, if changing the owner helps. This error has nothing to do with
> Unix permission per se, but you can disable Dovecot's access checks when
> you chmod a+x that particular socket.
>
> IMHO, the check itself tests if the querying Unix uid is either the owner
> or group member of the socket or owner of the retrieved record. In a
> single uid-system this check has no meaning - on a dedicated mail system
> at least. Because the global mail_uid has no meaning in the auth code (as
> this is no "default" value), you are left with:
>
> a) return uid with the query _and_ have all users use the same uid,or
> b) disable the Dovecot check by changing the socket's Unix permission to
> something different that 0666, e.g. set x-Unix-permission,or
> c) change the owner of the socket to vmail (then root cannot access the
> entries, if necessary),or
> d) put all Unix users, that access the socket, into one group and have the
> socket owned by that group.
>
> This is the code ./src/auth/auth-master-connection.c:
>
> st contains the data of the socket, cred the data of the accessing user,
> when conn->userdb_restricted_uid is set, later in the code the entries
> owner uid must match that number.
>
>
> /*!!! at this point variant b) would apply */
> /* figure out what permissions we want to give to this client */
> if ((st->st_mode & 0777) != 0666) {
> /* permissions were already restricted by the socket
> permissions. also +x bit indicates that we shouldn't do
> any permission checks. */
> return 0;
> }
>
> [snip]
>
> /*!!! at this point variants c) and d) would apply */
> if (cred.uid == st->st_uid || cred.gid == st->st_gid) {
> /* full permissions */
> return 0;
> } else {
> /* restrict permissions: return only lookups whose
> returned
> uid matches the peer's uid */
> conn->userdb_restricted_uid = cred.uid;
> return 0;
> }
>
>
> --
> Steffen Kaiser
>
More information about the dovecot
mailing list