Unfortunately I can see, that in my case /usr/libexec/dovecot/imap accesses both the inbox and the mail directories of the user as root. Moreover, it creates the lock file as root. I can see no process running as the user.
How could I teach dovecot to start the imap process as the user. What configuration options I should blame?
Thx: Dw.
dovecot -n # 2.0.17 (684381041dc4+): /etc/dovecot/dovecot.conf # OS: Linux 3.2.6-hardened i686 Gentoo Base System release 2.0.3 auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes auth_worker_max_count = 16 base_dir = /var/run/dovecot/ disable_plaintext_auth = no first_valid_gid = 99 first_valid_uid = 1000 hostname = last_valid_gid = 65533 last_valid_uid = 1003 listen = * mail_access_groups = mail mail_full_filesystem_access = yes mail_gid = mail mail_location = mbox:~/mail/:INBOX=/var/spool/mail/%u mail_max_keyword_length = 150 mail_privileged_group = mail mail_uid = mail passdb { args = * driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@ protocols = imap service auth-worker { user = root } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } service_count = 1 vsz_limit = 16 M } service imap { process_limit = 4 vsz_limit = 64 M } ssl_cert = </etc/apache2/ssl/cert.pem ssl_key = </etc/apache2/ssl/key.pem userdb { driver = passwd } verbose_proctitle = yes protocol lda { mail_plugins = sieve } protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 64 k }
-- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
2012.Február 23.(Cs) 06:29 időpontban Timo Sirainen ezt írta:
On 23.2.2012, at 7.20, Tóth Attila wrote:
I'm using a simple mbox config with regular Unix users and pam authentication.
I'm also using grsecurity. That's why I see what dovecot does in which users' name. As times goes by and new versions are coming I can frustratedly see, that more and more tasks are performed as root. Why?
Less tasks should be running as root now. The master process code is a lot smaller.
When I used 1.x series of Dovecot, imap process started in the name of the user whose mbox was accessed. Now I can see, that nearly every task is performed by root. Why? It even tampers with the mail directories of each user as root instead of the user as it was usual long before.
The imap process starts as root, does a userdb lookup and then drops privileges to that user. It worked this way before too, only the userdb lookup code was done by master process.