Hi,
thank you for your response.
seems that singularity does not limit capabilities in containers running as root. the capabilities are the same inside and outside of the container.
the only difference is that inside the container the securebit SECURE_NO_SETUID_FIXUP is set and locked if this is the reason, perhaps I should find a way to change this securebit setting in singularity
thanks nzasch
On 02/01/20 13:11, Marc Roos wrote:
Have you tried setting linux capabilities, like NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the permissions of paths? I had to relocate the run dir with things like these
&& mkdir /var/dovecot \ && mkdir /var/lib/dovecot \ && (umask 027 ; mkdir /var/dovecot/login) \ && (umask 022 ; mkdir /var/dovecot/empty) \ && (umask 027 ; mkdir /var/dovecot/token-login)
-----Original Message----- From: cesco [mailto:cesco@esiliati.org] Sent: 30 December 2019 18:32 To: dovecot@dovecot.org Subject: dovecot cannot drop privileges inside singularity container
Hi all
I'm facing an issue while running dovecot inside a singularity (https://sylabs.io/singularity/) container
dovecot version is 2.3.4.1 (configuration below) running on debian buster, inside a container made with singularity version 3.4.2
unfortunately, when I try to start dovecot, it gives: Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 17:23:38 testnode dovecot: master: Error: service(anvil): command startup failed, throttling for 2 secs
the same happens on singularity containers based on debian bullseye or alpine linux 3.9.2
many thanks! nzasch
Singularity test.sif:~> doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve pop3 submission" ssl_cert =