[Dovecot] Bizarre permissions problem

Joseph Tam jtam.home at gmail.com
Sat Aug 31 02:00:45 EEST 2013


Bill Oliver writes:

> There's *one* user I can't get it to work on without a
> workaround.  The user is "newuser" and the uid is 1111 (actual name and
> number changed to protect the innocent).  The error I get in my maillog
> is:
>
> The error I get in may maillog is:
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser)
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser)
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser)
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted
>
> Now, it looks to me like dovecot is saying that the user newuser can't
> get to the /home/newuser/mail/.imap directory because it doesn't have
> permission.  However, the user newuser has all the permissions it needs:
>
> $ ls -la /home/newuser/mail
>
> total 20
> drwxrw---- 3 newuser newuser 4096 Aug 29 15:01 .
> drwxrw---- 6 newuser newuser 4096 Aug 29 12:16 ..
> drwxrwx--- 2 newuser newuser 4096 Aug 29 16:05 .imap
> -rw-rw---- 1 newuser newuser  499 Aug 13 07:56 saved-messages
> -rw-rw---- 1 newuser newuser 1756 Aug 16 11:15 sent-mail

The output of doveconf -n would have been useful, especially as it
relates to your mail_location value, but I can make a pretty good guess
at what is happening.

Dovecot is trying to create indices with analogous permissions to your
mailbox files.  Your user's INBOX (/var/mail/newuser) has permission
user:group:mode = 1111:12:0660 *but* newuser is not in group "mail"
(GID 12), hence it cannot do the required chown operations.

(Notice the mode of .imap/: the group write is on so the chmod worked.)

Your INBOX ended up this way because some LDA's auto-create new INBOX's
with these permissions (to allow access to other part of the mail sysyem
that are set-gid "mail").  Options:

 	1) chmod g-rwx /var/mail/newuser
 		- assumes you have no other parts of your
 		mailsystem that needs access to all user
 		INBOX by assuming group "mail".
 		- dovecot is smart enough to figure out
 		group membersip is irrelevant is groups access
 		is nil.

 	2) chgrp newuser /var/mail/newuser

 	3) To avoid future problems: make sure new mailboxes
 		are created with workable permissions.

There are also dovecot configs that loosen up some group access, but
you'll have to investigate that yourself.

Joseph Tam <tam at math.ubc.ca>


More information about the dovecot mailing list