On 14 Jul 2019, at 10.10, Jean-Daniel via dovecot dovecot@dovecot.org wrote:
Hello,
I want to monitor dovecot stats, and so I have an exporter process that run with limited rights. The monitoring user has only access to /var/run/dovecot/stats-reader and it works fine. Doveadm stats dump returns the list of all stats as expected.
But each time I run doveadm stats dump, it logs the following error:
Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
So what is the purpose of the stats-writer socket, and why doveadm try to open it to simply dump stats ? Is it really something it needs and I should update my user permissions or is it a doveadm bug ?
All Dovecot processes nowadays connect to the stats-writer process early on before they drop privileges, unless it's explicitly disabled in the code. In doveadm case I suppose most commands would want to connect to stats-writer, but we could have a per-command flag to specify that the command doesn't want stats. I'll add this to our internal Jira.