-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 4 Jul 2007, Steffen Kaiser wrote:
Hello,
after adding plenty of i_info()'s into:
./src/lib/restrict-access.c ./src/imap/main.c ./src/master/mail-process.c
I found out what the basic problem is, although not why the access to Maildir was successful - it should have been denied, too.
OK, attached there are these files:
- logging_only.log, a logfile with added logging only.
- setRESTRICT_USERfromUSER.log: a logfile, where in src/imap/main.c the missing env var RESTRICT_USER is set from the env var USER.
- the patch I used to do the logging and the change.
- the dovecot -n output.
The problem is that there is _no_ single call to restrict_access_set_env() with the user argument set, hence, the env var RESTRICT_USER is never set, but the only call to initgroups() in ./src/lib/restrict-access.c is invoked only, if RESTRICT_USER is present. Effectly: No secondary groups of the user are added to the process never.
In my situation: # id dvtest3 uid=30004(dvtest3) gid=30006(dvtest3) groups=30006(dvtest3),30004(spamd) # ls -aln ~dvtest3/Maildir/ drwxrwx--- 6 31045 30004 4096 2007-07-06 08:34 ./ drwxrwx--- 2 31045 30004 4096 2007-07-06 08:28 cur/
The access to Maildir/cur fails, because the secondary group 30004 is never added to the process. Surprisingly stat(Maildir) succeeds.
I experimented with "drop_priv_before_exec" and "add_extra_groups" settings, if they make any difference, but found none.
Maybe the problem is the 1st call to restrict_access_set_env():
dovecot: Jul 06 10:48:00 Info: ska: restrict_access_set_env(): user =
The user parameter is empty, but not NULL. I added some more logging, the uid/gid is 30004/30006 - that data of dvtest3. Maybe the problem is that in create_mail_process() when doing:
/* setup environment - set the most important environment first
(paranoia about filling up environment without noticing) */
restrict_access_set_env(system_user, uid, gid, chroot_dir,
set->first_valid_gid, set->last_valid_gid,
set->mail_extra_groups);system_user is not set.
This is true for both local and LDAP users.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRo4LbC9SORjhbDpvAQL/6wf+KFu4a8f1j9GhLC/aaS+rn0f+/D2kYX5g npq/VPv7mt3Y4+s8xbAf3d3xl/TsH1wgZYx/g7uVpBae54vStcpOPum/yTCasohd 8B+1qJqYDztckpjTKTIfcIZvZWP7vcqALVdmPFcAgWx/wkWiSTKGpYW4JnhloFE8 6q2pEcvnj1k+TpHCxTm22c8w1MMUXKaeiLttxWZcg/VlZdShR+MWpArKgSqwXDlc 8XA05tzAO9xDDl+02zx0ysnp41n/i3n82bGWJFaNtpzurgf82ytVTI5WznrJwVSs +xzrOLmw2C8PJSB8Ur0Lg1HHSu+QuOn4+OcU4Rz8jc6jVeG5SfJJEg== =xbQF -----END PGP SIGNATURE-----