Hello all,
I have a little problem. I'm trying to set up Dovecot deliver (1.0 beta 3) as the LDA for Exim4 on Ubuntu 6.06 with MBOX, and I'm running into permissions problems. Exim typically wants to run pipes as the user to whom the mail is being delivered (as per the "check_local_user"). deliver needs access to the auth socket and needs to be able to create files in /var/mail.
In Ubuntu, /var/mail is writeable by group mail, but not by others. So I thought I'd make deliver run as the user to whom the mail is being delivered (as per default) and with group "mail" (so it can create files in /var/mail). I also set the auth socket to be group-writeable and gave it the group mail. So theoretically, deliver should be able to:
- connect to the socket
- create dotfiles in /var/mail
- write to the user's mailbox
The problem I'm running into is that deliver tries to setgid to the primary group of the target user, and dies when it can't. I specifically do NOT want it to do this, because regular users don't have permission to write to /var/mail.
I've also tried making deliver SUID root (as recommended on this list) or SGID mail (like procmail is) but I get the same error. If I also disable the "group = mail" line in the dovecot_deliver_user router in exim4.conf, I still get the same error.
If I disable the "group = mail" line without making deliver SUID or SGID, then it can no longer connect to the auth socket. In this case it runs with the group of the user for whom the mail is being delivered, i.e. sam-adm (#10000).
I've also tried adding "user = mail" to the transport, to no avail.
The ONE way I've been able to make it work is to remove "group = mail" from exim4.conf and set the socket's mode to 0666, but I've seen warnings that allowing world-access to the socket is dangerous.
I'm actually not sure why this works, since in this case it's running with both the UID and GID of the target user, and therefore shouldn't be able to create files in /var/mail.
Can anyone untangle this for me? From what I've read, in Debian delivery agents should run with group "mail" (procmail is SGID mail). It seems to me that the way to go is to spawn it with group mail, allow group mail access to the auth socket, and be done with it. But this is prevented from working since it insists on resetting back to the user's primary group.
Thanks, Sam Hathaway
The relevent section of my dovecot.conf looks like this:
protocol lda { postmaster_address = postmaster@uofr.net log_path = /var/log/dovecot-lda.log }
auth default { mechanisms = plain socket listen { master { path = /var/run/dovecot-auth-master mode = 0660 group = mail } } # ... (other auth config directives here) }
And the relevent parts of my exim4.conf are as follows:
# in router section: local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains check_local_user local_part_suffix = +* local_part_suffix_optional local_parts = ! root transport = dovecot_deliver_user
# in transport section: dovecot_deliver_user: debug_print = "T: pipe for $local_part@$domain" driver = pipe command = /usr/lib/dovecot/deliver -d $local_part message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add group = mail
Here are the permissions on some interesting files/dirs:
-rwxr-xr-x 1 root mail 551424 2006-11-22 21:59 /usr/lib/dovecot/deliver drwxrwsr-t 2 root mail 1024 2007-01-25 14:14 /var/mail -rw-rw---- 1 sam-adm mail 544 2007-01-25 15:58 /var/mail/sam-adm srw-rw---- 1 root mail 0 2007-01-25 15:39 /var/run/dovecot-auth-master
And here's how I've been testing:
echo "test" | mail -s "deliver test" sam-adm
When I execute the above command, exim says:
2007-01-25 15:55:01 1HABcb-0006h4-N8 <= sam-adm@vps.uofr.net U=sam-adm P=local S=334 2007-01-25 15:55:02 1HABcb-0006h4-N8 ** sam-adm@vps.uofr.net R=local_user T=dovecot_deliver_user: Child process of dovecot_deliver_user transport returned 89 from command: /usr/lib/dovecot/deliver 2007-01-25 15:55:02 1HABcb-0006h4-N8 Completed
And deliver says:
deliver: "2007-01-25 15:55:02 "Fatal: setgid(10000) failed: Operation not permitted