On Wed, 3 Jan 2018 13:37:07 -0500 Timo Sirainen <tss@iki.fi> wrote:
On 3 Jan 2018, at 11.38, Rob Hoelz <rob+dovecot@hoelz.ro> wrote:
Hi dovecot developers and users,
I recently upgraded my server running Arch Linux to dovecot 2.3.0, and I noticed some of my cron jobs started issuing me error messages. These cron jobs run as a non-root user associated with my mail account, and they use doveadm to tidy things up (ex. purging the trash, moving old mail in certain folders into the trash). The error message is:
Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
I assume this is doveadm trying to participate in the new 2.3 stats process, and after reading the code a bit, I can't see way to tell doveadm to not connect to the stats writer. The socket is owned by root with 600 permissions.
What would be the right way to remedy this? AFAICT, I could potentially run doveadm as root (which I would prefer to avoid), or I could change the permissions on the stats writer socket, but I would hate to introduce any sort of security vulnerability by doing so. I currently have a scrappy Perl script that just runs doveadm and filters out the error message (it doesn't seem to affect the behavior of doveadm other than the message), but that feels dirty and I would prefer a cleaner solution. Any advice?
I was wondering what to do about this while developing it. I think you can disable this by clearing out the socket path:
doveadm -o stats_writer_socket_path=
But .. I think the changing the socket permissions is the better solution. The new stats process should know about everything that is going on in the system, and these doveadm calls are part of that. So if they're excluded then the stats aren't exactly correct. The stats-writer can't do all that much harm other than messing up the statistics or probably crashing stats process by using up all of its memory.
Thanks for the advice, Timo - I went ahead and applied the permission change to my dovecot config. On a side note, thanks for dovecot in general - it's a great piece of software!
-Rob