Hi Stephan,
Normally, Dovecot permission errors are more helpful than that. So, this error message in itself is a bit of a bug:
I'm glad to h've been able to help with this beta-test ;-)
About the cause of this error: keep in mind that the whole directory path needs read/execute permission, not only the leaf directory.
Have checked. They are...
You could try a command other than LISTSCRIPTS in your manual debugging efforts. That should take a different code path that provides a more detailed error.
I tried:
PUTSCRIPT "hutsefluts" {6+} keep;
Gives the same result:
Feb 10 15:43:26 p150 dovecot[2042]: managesieve(rogier): Error: sieve: file storage: save: open(/home/rogier/sieve/tmp/hutsefluts_1486737806.M728733P6414.p150.sieve) failed: Permission denied
I have put a script named "std.sieve" in the sieve directory manually. Then the GETSCRIPT command gives some more information:
Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Debug: sieve:
file script: Opened script std' from /home/rogier/sieve/std.sieve'
Feb 10 15:50:07 p150 dovecot[2042]: managesieve(rogier): Error: sieve:
file script: Failed to open sieve script:
open(/home/rogier/sieve/std.sieve) failed: Permission denied
(euid=1000(rogier) egid=100(users) UNIX perms appear ok (ACL/MAC
wrong?))
So the UNIX permissions seem not to be the problem. The mentioning of ACL made me look into the audit.log. There I found this:
type=AVC msg=audit(1486738207.203:354): apparmor="DENIED" operation="open" profile="/usr/lib/dovecot/managesieve" name="/home/rogier/sieve/std.sieve" pid=6414 comm="managesieve" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1486738207.203:354): arch=c000003e syscall=2 success=no exit=-13 a0=55e8920917d8 a1=0 a2=7fff73b41a14 a3=65766569732f7265 items=0 ppid=1861 pid=6414 auid=429 4967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="managesieve" exe="/usr/lib/dovecot/managesieve" key=(null) type=UNKNOWN[1327] msg=audit(1486738207.203:354): proctitle="dovecot/managesieve"
Looks like AppArmor says NO... Does the apparmor profile for managesieve account for this or any other script store location? Or is the user expected to tweak apparmor profiles in such cases? Then I have to figure out how...
Regards, Rogier