Re: [Dovecot] doveadm -A stops processing at first uid<first_valid_uid

6 Mar 2012

      On Sun, 4 Mar 2012, Timo Sirainen writes:
...
...
I would like to run various doveadm commands that involves all (mail) users like
doveadm expunge -A mailbox Trash savedbefore 30d
but any doveadm command that uses "-A" to iterate through all users will
stop processing at the first account with UID<first_valid_uid.
What userdb are you using? userdb passwd should already skip users that
aren't in the valid range. And what Dovecot version are you using?
passwd-file under dovecot 2.0.16.
...
And one more thing: Does it really even stop there? Looking at the code
it's supposed to log an error and continue to next user. Note that it says
"Failed to iterate through SOME users".
The wording did not escape my notice, which is why I suspect it's not doing
what it was designed to do.  This is my test:
# Command
doveadm mailbox list -A

# Start of password file
sysdaemon:*:500:500:System daemon:/:/dev/null
... and the rest ...

# dovecot.conf
...
first_valid_uid = 10000
first_valid_gid = 10000
...
In this situation, doveadm will exit immediately with an UID error
message.  If I change the UID>10000, it will produce the analogous GID
error message.  If I satify both UID and GID constraints, it will fail
on the next daemon entry.  If I move the sysdaemon entry all the way to
the bottom of the pasword file, I get
user1 saved-messages
user1 sent-mail
user1 postponed-msgs
user1 temp
user1 temp/temp
user1 INBOX
user2 sent-mail
user2 101
user2 345
user2 ckf
... all user's mailbox with UID>10000, then ...
doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop privileges: Mail access for users with UID 500 not permitted (see first_valid_uid in config file, uid from userdb lookup).
doveadm(sysdaemon): Error: User init failed
doveadm: Error: Failed to iterate through some users
...
Oh, it says about first_valid_gid. Is sysdaemon's UID within valid range?
Sorry for this error mismatch -- I cut&pasted the wrong test output;
however, the problem I witnessed applies to both UID and GID (if either
constraint is not met, user iteration terminates).
...
I also added this today: http://hg.dovecot.org/dovecot-2.1/rev/85a8d582d37f
It looks like I'll be upgrading.  Oh, I just spotted this in the ChangeLog --
maybe you are undoing this?
(2010-10-21)
     * src/auth/auth-settings.c, src/auth/auth-settings.h, src/auth/userdb-
     passwd.c:
     auth: userdb passwd iteration now lists only users within
     first_valid_uid..last_valid_uid range.
     [745ef289b0ea]
Joseph Tam <jtam.home@gmail.com>