In the mean time I've upgraded to 2.1. I've enabled debug logging and logged in.
I suspect that hardening features can be blamed for my problem. After booting a previous kernel the behavior was reverted.
Here is what I got. As I can make it out it uses the proper user for the imap process according to the logs.
Thx: Dw.
Feb 23 20:49:39 atoth dovecot: master: Dovecot v2.1.0 starting up (core
dumps disabled)
Feb 23 20:50:12 atoth dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/auth
Feb 23 20:50:12 atoth dovecot: auth: Debug: auth client connected (pid=16584)
Feb 23 20:50:12 atoth dovecot: auth: Debug: client in: AUTH 1
PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143
rport=50264 resp=<hidden>
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: Loading modules
from directory: /usr/lib/dovecot/auth
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): lookup service=imap
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): #1/1 style=1 msg=Password:
Feb 23 20:50:12 atoth dovecot: auth: Debug: client out: OK 1
user=atoth
Feb 23 20:50:12 atoth dovecot: auth: Debug: master in: REQUEST 3337879553
16584 1 0a36f4227122eb3d59466523e937b25b
Feb 23 20:50:12 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup
Feb 23 20:50:12 atoth dovecot: auth: Debug: master out: USER 3337879553
atoth system_groups_user=atoth uid=1000 gid=100
home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap-login: Login: user=<atoth>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16587, secured
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000,
gid=100, home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: fs:
root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt=
Feb 23 20:50:12 atoth dovecot: imap(atoth): Disconnected: Logged out in=44
out=747
Feb 23 20:50:12 atoth dovecot: auth: Debug: auth client connected (pid=16588)
Feb 23 20:50:12 atoth dovecot: auth: Debug: client in: AUTH 1
PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143
rport=50265 resp=<hidden>
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): lookup service=imap
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): #1/1 style=1 msg=Password:
Feb 23 20:50:12 atoth dovecot: auth: Debug: client out: OK 1
user=atoth
Feb 23 20:50:12 atoth dovecot: auth: Debug: master in: REQUEST 401211393
16588 1 59b6d569049f955f31991ac3cfb1f54c
Feb 23 20:50:12 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup
Feb 23 20:50:12 atoth dovecot: auth: Debug: master out: USER 401211393
atoth system_groups_user=atoth uid=1000 gid=100
home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap-login: Login: user=<atoth>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16589, secured
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000,
gid=100, home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: fs:
root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt=
Feb 23 20:50:14 atoth dovecot: imap(atoth): Disconnected: Logged out
in=42671 out=174898
Feb 23 20:50:14 atoth dovecot: auth: Debug: auth client connected (pid=16600)
Feb 23 20:50:14 atoth dovecot: auth: Debug: client in: AUTH 1
PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143
rport=50276 resp=<hidden>
Feb 23 20:50:14 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): lookup service=imap
Feb 23 20:50:14 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): #1/1 style=1 msg=Password:
Feb 23 20:50:14 atoth dovecot: auth: Debug: client out: OK 1
user=atoth
Feb 23 20:50:14 atoth dovecot: auth: Debug: master in: REQUEST 3933732865
16600 1 8382f23ff412178311e55bf74162e4cd
Feb 23 20:50:14 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup
Feb 23 20:50:14 atoth dovecot: auth: Debug: master out: USER 3933732865
atoth system_groups_user=atoth uid=1000 gid=100
home=/home/atoth
Feb 23 20:50:14 atoth dovecot: imap-login: Login: user=<atoth>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16601, secured
Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: Effective uid=1000,
gid=100, home=/home/atoth
Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth
Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: fs:
root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt=
Feb 23 20:50:14 atoth dovecot: imap(atoth): Disconnected: Logged out
in=405 out=9240
-- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
2012.Február 23.(Cs) 09:15 időpontban Timo Sirainen ezt írta:
On Thu, 2012-02-23 at 09:03 +0100, "Tóth Attila" wrote:
Unfortunately I can see, that in my case /usr/libexec/dovecot/imap accesses both the inbox and the mail directories of the user as root. Moreover, it creates the lock file as root. I can see no process running as the user.
How could I teach dovecot to start the imap process as the user. What configuration options I should blame?
Well, that's strange. There shouldn't be any way for you to make imap access mails as root, even if you wanted to do that. If you log in as root, it'll fail with:
Error: user root: Invalid settings in userdb: userdb returned 0 as uid Fatal: Invalid user settings. Refer to server log for more information.
If there's a bug and it just somehow manages to get through that check, it fails with:
Fatal: We couldn't drop root privileges
So.. I'm not really sure what could be wrong. It makes me think maybe Gentoo's hardening features somehow mess this up, but I can't really think of how that could either.
Set auth_debug=yes and mail_debug=yes. What does it log when logging in?