[Dovecot] Bizarre permissions problem
Joseph Tam
jtam.home at gmail.com
Sat Aug 31 02:00:45 EEST 2013
Bill Oliver writes:
> There's *one* user I can't get it to work on without a
> workaround. The user is "newuser" and the uid is 1111 (actual name and
> number changed to protect the innocent). The error I get in my maillog
> is:
>
> The error I get in may maillog is:
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser)
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser)
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=1111(newuser), group based on /var/mail/newuser)
> Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted
>
> Now, it looks to me like dovecot is saying that the user newuser can't
> get to the /home/newuser/mail/.imap directory because it doesn't have
> permission. However, the user newuser has all the permissions it needs:
>
> $ ls -la /home/newuser/mail
>
> total 20
> drwxrw---- 3 newuser newuser 4096 Aug 29 15:01 .
> drwxrw---- 6 newuser newuser 4096 Aug 29 12:16 ..
> drwxrwx--- 2 newuser newuser 4096 Aug 29 16:05 .imap
> -rw-rw---- 1 newuser newuser 499 Aug 13 07:56 saved-messages
> -rw-rw---- 1 newuser newuser 1756 Aug 16 11:15 sent-mail
The output of doveconf -n would have been useful, especially as it
relates to your mail_location value, but I can make a pretty good guess
at what is happening.
Dovecot is trying to create indices with analogous permissions to your
mailbox files. Your user's INBOX (/var/mail/newuser) has permission
user:group:mode = 1111:12:0660 *but* newuser is not in group "mail"
(GID 12), hence it cannot do the required chown operations.
(Notice the mode of .imap/: the group write is on so the chmod worked.)
Your INBOX ended up this way because some LDA's auto-create new INBOX's
with these permissions (to allow access to other part of the mail sysyem
that are set-gid "mail"). Options:
1) chmod g-rwx /var/mail/newuser
- assumes you have no other parts of your
mailsystem that needs access to all user
INBOX by assuming group "mail".
- dovecot is smart enough to figure out
group membersip is irrelevant is groups access
is nil.
2) chgrp newuser /var/mail/newuser
3) To avoid future problems: make sure new mailboxes
are created with workable permissions.
There are also dovecot configs that loosen up some group access, but
you'll have to investigate that yourself.
Joseph Tam <tam at math.ubc.ca>
More information about the dovecot
mailing list