Permissions for dovecot logging

justina colmena ~biz justina at colmena.biz
Fri Dec 30 12:07:27 UTC 2022 

On Thursday, December 29, 2022 10:17:08 PM AKST Aki Tuomi wrote:
> > On 30/12/2022 05:25 EET James Moe <moe.james at sma-inc.us> wrote:
> >   Permission is still denied.
> >   Where do I find information about "status=80/n/a"?
> > 
> >   I did not include all two of the syslog entries in the previous message:
> > 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file
> > /data01/var/log/dovecot.log: Permission denied
> > 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main
> > process exited, code=exited, status=80/n/a
> 
> Maybe you have selinux or apparmor involved? On rhel based systems, selinux
> logs into /var/log/audit/audit.log, dmesg -T is another good thing to
> check.
> 
Status=80 I assume is the exit code dovecot threw when it couldn't open the 
log file. Whatever "int main()" is programmed to return.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
>  Dovecot fails to start with the error:
> Can't open log file /data01/var/log/dovecot.log: Permission denied
That error message is typical of a simple unix permission issue, nothing to do 
with selinux etc.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
>   Permissions:
> drwxrwxr-x 1 root       users 104 Feb 25  2018 /data01/
> drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/
> drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/
> drwxrwxr-x 1 dovecot    users  22 Dec 27 15:47 /data01/var/log/dovecot/
> 
>   "dovecot" is a member of "users".
> 
>   What "permission" am I missing?

If the process isn't running with an effective group id of "users", then it 
cannot access that directory simply by virtue of being a member of that group. 
The main program has to call setegid() with the proper group id before 
attempting to access those files.

On Tuesday, December 27, 2022 10:27:31 PM AKST Aki Tuomi wrote:
> If you want to run log as `dovecot`, you can do so with
> 
> service log {
>   user = dovecot
> }

Maybe try something like this:

service log {
   user = dovecot
   group = users
 }

Otherwise you might not have the process running with the right effective group 
id to access the log file location by unix group permissions.
-- 
https://justina.abeja.colmena.biz/

More information about the dovecot mailing list