[Dovecot] Fatal: chdir( ) failed: Permission denied
Hi
Dovecot fails to chdir() into users home directory giving the following error:
Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina) failed: Permission denied (euid=1118 0(mina) egid=11332(devel) missing +x perm: /a/home) Oct 9 16:43:49 jura dovecot: dovecot: child 14441 (imap) returned error 89 (Fatal failure)
The reason seems to be that user primary group is "devel" and directory /a/home has ACL which gives execute permission only to the users in "domain users" group. Now the catch is that the user _is_ member of "domain users" group and is happily accessing his home directory over CIFS(Samba) for long time. Also, the user has no problem entering his home directory when using shell access. It just seems like the user lost membership of a bunch of supplementary groups. The group membership info is coming from M$ PDC via winbind and NSS. We have few users and can change the users primary group and/or relax the /a/home directory ACL, but overall this is not right. Shall I shut up or can we hope for a fix or at least explanation?
Thanks
jura:/a # ls -la drwxrws--T+ 3 root domain admins 18 Oct 8 15:10 home
jura:/a # getfacl home/ # file: home # owner: root # group: domain\040admins user::rwx group::rwx group:domain\040users:--x mask::rwx other::---
Vallo
On Fri, Oct 09, 2009 at 11:15:29AM -0400, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
On 10/9/2009, Vallo Kallaste (kalts@estpak.ee) wrote:
Dovecot fails to chdir() into users home directory giving the following error:
DC version / dovecot -n? Uhm, I'm truly sorry:
M$ DC is NT4 with all the patches one can dig up.
# 1.2.5: /etc/dovecot/dovecot.conf # OS: Linux 2.6.16 i686 Linux (i586) login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_location: maildir:~/.maildir lda: postmaster_address: postmaster@some.where mail_plugins: sieve mail_plugin_dir: /usr/lib/dovecot/modules/lda auth default: verbose: yes passdb: driver: pam userdb: driver: passwd plugin: sieve: ~/.dovecot.sieve sieve_global_path: /etc/dovecot/sieve/default.sieve sieve_dir: ~/.sieve sieve_global_dir: /etc/dovecot/sieve/global/
Vallo
On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote:
The reason seems to be that user primary group is "devel" and
directory /a/home has ACL which gives execute permission only to the users in "domain
users" group. Now the catch is that the user _is_ member of "domain users"
group and is happily accessing his home directory over CIFS(Samba) for long
time.
What does Dovecot log with auth_debug=yes?
On Fri, Oct 09, 2009 at 11:26:19AM -0400, Timo Sirainen <tss@iki.fi> wrote:
On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote:
The reason seems to be that user primary group is "devel" and directory /a/home has ACL which gives execute permission only to the users in "domain users" group. Now the catch is that the user _is_ member of "domain users" group and is happily accessing his home directory over CIFS(Samba) for long time.
What does Dovecot log with auth_debug=yes?
Oct 9 18:53:49 jura dovecot: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=192.168 .10.3 rip=192.168.25.1 lport=143 rport=3659 Oct 9 18:53:49 jura dovecot: auth(default): client out: CONT 1 Oct 9 18:53:49 jura dovecot: auth(default): client in: CONT<hidden> Oct 9 18:53:49 jura dovecot: auth-worker(default): pam(ftest,192.168.25.1): lookup service=dovecot Oct 9 18:53:49 jura dovecot: auth-worker(default): pam(ftest,192.168.25.1): #1/1 style=1 msg=Password: Oct 9 18:53:49 jura dovecot: auth(default): client out: OK 1 user=ftest Oct 9 18:53:49 jura dovecot: auth(default): master in: REQUEST 36 26941 1 Oct 9 18:53:49 jura dovecot: auth(default): passwd(ftest,192.168.25.1): lookup Oct 9 18:53:49 jura dovecot: auth(default): master out: USER 36 ftest system_groups_user=ftest uid =11745 gid=11332 home=/a/home/ftest Oct 9 18:53:49 jura dovecot: imap-login: Login: user=<ftest>, method=PLAIN, rip=192.168.25.1, lip=192.168.10.3, T LS Oct 9 18:53:49 jura dovecot: dovecot: Fatal: chdir(/a/home/ftest) failed: Permission denied (euid=117 45(ftest) egid=11332(devel) missing +x perm: /a/home) Oct 9 18:53:49 jura dovecot: dovecot: child 26943 (imap) returned error 89 (Fatal failure)
Uid/gid are right, gid=11332 is group "devel". The user has several supplementary groups which are something like this (mangled):
jura:~ # id ftest uid=11745(ftest) gid=11332(devel) groups=11332(devel),11812(xxx),11813(xxx_test),10513(domain users),11472(xxxmonitor),11409(monitor),11354(offline_xxx_mon),11323(it),11456(YYY),11237(ZZZZ)
Vallo
On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote:
Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina)
failed: Permission denied (euid=1118 0(mina) egid=11332(devel) missing +x perm: /a/home)
Oh, right, this happens before execing imap. Hmm. Well,
mail_drop_priv_before_exec=yes probably helps you. I'll have to figure
out if I should change something here..
On Fri, Oct 09, 2009 at 12:14:25PM -0400, Timo Sirainen <tss@iki.fi> wrote:
Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina) failed: Permission denied (euid=1118 0(mina) egid=11332(devel) missing +x perm: /a/home)
Oh, right, this happens before execing imap. Hmm. Well, mail_drop_priv_before_exec=yes probably helps you. I'll have to figure out if I should change something here..
Just FYI, the problem remains after turning the mail_drop_priv_before_exec=yes flag on.
Vallo
On Fri, 2009-10-09 at 20:02 +0300, Vallo Kallaste wrote:
On Fri, Oct 09, 2009 at 12:14:25PM -0400, Timo Sirainen <tss@iki.fi> wrote:
Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina) failed: Permission denied (euid=1118 0(mina) egid=11332(devel) missing +x perm: /a/home)
Oh, right, this happens before execing imap. Hmm. Well, mail_drop_priv_before_exec=yes probably helps you. I'll have to figure out if I should change something here..
Just FYI, the problem remains after turning the mail_drop_priv_before_exec=yes flag on.
Right, I looked at the code wrong. I think I won't change this in v1.x because it might break something, but you could move
ret = chdir(full_home_dir);
in src/master/mail-process.c just before:
client_process_exec(set->mail_executable, title);
and then it should work with mail_drop_priv_before_exec=yes. I'll get this fixed properly in v2.0.
Quoting Timo Sirainen <tss@iki.fi>:
On Fri, 2009-10-09 at 20:02 +0300, Vallo Kallaste wrote:
On Fri, Oct 09, 2009 at 12:14:25PM -0400, Timo Sirainen <tss@iki.fi> wrote:
Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina) failed: Permission denied (euid=1118 0(mina) egid=11332(devel) missing +x perm: /a/home)
Oh, right, this happens before execing imap. Hmm. Well, mail_drop_priv_before_exec=yes probably helps you. I'll have to figure out if I should change something here..
Just FYI, the problem remains after turning the mail_drop_priv_before_exec=yes flag on.
Right, I looked at the code wrong. I think I won't change this in v1.x because it might break something, but you could move
ret = chdir(full_home_dir);
in src/master/mail-process.c just before:
client_process_exec(set->mail_executable, title);
and then it should work with mail_drop_priv_before_exec=yes. I'll get this fixed properly in v2.0.
This worked for 1.2.6 but it does not for 1.2.10
Helga Mayer
participants (4)
-
Charles Marcus
-
Helga Mayer
-
Timo Sirainen
-
Vallo Kallaste