Andrey Panin wrote:
I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup
dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down
The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges.
Can you try running "ppriv -D dovecot" to determine which privilege is missing ?
Difficult as the dovecot master process dies as soon as the dovecot-auth process ends. I ran a "truss -f" on it though and found:
26409: setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0400000000000000}) = 0 26409: setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0400000000000000}) = 0
...
26411: setgroups(11, 0x0006C290) Err#1 EPERM [proc_setid] 26411: write(2, "01 F i n i t g r o u p s".., 40) = 40 26411: _exit(89)
From the setgroups manpage:
ERRORS The getgroups() and setgroups() functions will fail if: ... EPERM The {PRIV_PROC_SETID} privilege is not asserted in the effective set of the calling process.
I tried omitting PRIV_PROC_SETID from the list in capabilities-solaris.c but that doesn't seem to make much difference except
19468: setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0000000000000000}) = 0 19468: setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0000000000000000}) = 0
I don't know much about process privileges, but could it be that the dovecot-auth subprocess isn't inheriting the privileges from the master process?
I can send you the whole truss files if you like.
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094