On Sat, 2020-03-28 at 15:14 +0000, André Rodier wrote:
> Hello,
>
> I am updating dovecot, from Debian Stretch to Buster, and I have an
> issue with the managesieve service:
>
> > Mar 28 15:05:06 mail dovecot[2637]: managesieve-login: Error: auth:
> > connect(login) in directory / failed: Permission denied
> > (euid=120(<getpwuid() error>) egid=128(<getgrgid() error>) missing
> > +x
> > perm: /, we're not in group 127, dir owned by 0:127 mode=0770)
> > Mar 28 15:05:06 mail dovecot[2637]: managesieve-login: Error: auth:
> > connect(login) in directory / failed: Permission denied
> > (euid=120(<unknown>) egid=128(<unknown>) missing +x perm: /, we're
> > not in group 127, dir owned by 0:127 mode=0770)
>
> The two folders I found with these permissions are /run/dovecot/login
> and /run/dovecot/token-login.
> Both folders belongs to root:dovecot
>
> If I change the permissions of the following folders, like this:
>
> chmod 0775 /run/dovecot/login
> chmod 0775 /run/dovecot/token-login
>
> Then, dovecot managesieve is working, but this is just a test, I
> suppose the service should run with a specific user?
>
> Do you have any idea on what is wrong here?
>
> If I restart dovecot, I have an error message that states the
> permissions are wrong, and they are set again to 0770
>
> Thanks,
> André Rodier
>
Hi again,

I can fix it by using this:

> service managesieve-login {
>   inet_listener sieve {
>     port = 4190
>   }
>
>   # Run as an unprivileged user
>   group = dovecot
>   user = dovecot
> }
>

Is it the right setting in term of security?

Thanks again,
André