[Dovecot] sievec - manual compile of global sieve scripts?
How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user?
http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
# cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin
sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner)
# ls -la /etc/dovecot/sieve/before/ drwxrwxr-x 2 root root 4096 Aug 1 15:56 . drwxr-xr-x 5 root root 4096 Aug 1 13:23 .. -rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve
Or do I just make the /etc/dovecot/sieve/ tree owned and writable by the vmail:vmail user? (Which worked, but seems like a bad idea.)
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server release 5.7 (Tikanga) auth_verbose_passwords = sha1 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1, 1.2.3.4 mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:~/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after/ sieve_before = /etc/dovecot/sieve/before/ sieve_dir = ~/sieve sieve_global_dir = /etc/dovecot/sieve/globalinclude/ } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { process_min_avail = 5 } service pop3-login { inet_listener pop3 { address = 1.2.3.4 } inet_listener pop3s { address = 1.2.3.4 } } ssl = required ssl_cert = </etc/pki/tls/private/certs/example_com.crt ssl_key = </etc/pki/tls/private/example_com.key protocol lda { log_path = /var/log/dovecot/dovecot-lda mail_plugins = " sieve" }
On 8/1/2011 10:11 PM, Thomas Harold wrote:
How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user?
http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
# cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin
sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner)
Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts.
# ls -la /etc/dovecot/sieve/before/ drwxrwxr-x 2 root root 4096 Aug 1 15:56 . drwxr-xr-x 5 root root 4096 Aug 1 13:23 .. -rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve
Or do I just make the /etc/dovecot/sieve/ tree owned and writable by the vmail:vmail user? (Which worked, but seems like a bad idea.)
It is a bad idea. Vmail would only need read access.
Regards,
Stephan
On 8/1/2011 8:43 PM, Stephan Bosch wrote:
On 8/1/2011 10:11 PM, Thomas Harold wrote:
How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user?
http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
# cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin
sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner)
Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts.
Sorry, I may not have been clear before, I am trying to run sievec as root. So the error is confusing to me because it looks like sievec is trying to drop privs and do the compile as the vmail user. I haven't done anything special to the sievec file (like making it run as vmail or always run as root, SELinux is in permissive mode until I gather up enough entries in the audit log to make an audit2allow run useful).
# ls -la /usr/local/bin -rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec -rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump -rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test
As a workaround, I may temporarily alter my Makefile to set the directory writable by the vmail group, compile the scripts, then set the directory read-only again. The files end up owned as vmail:vmail when I do that, even though I execute the "sievec" command as root.
# /usr/local/bin/sievec sortspam.sieve sortspam.svbin -rw-rw-r-- 1 root root 477 Aug 1 15:33 sortspam.sieve -rw-rw-r-- 1 vmail vmail 321 Aug 2 08:26 sortspam.svbin
...
My current Makefile.
# cat Makefile # http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#scriptcompile SIEVEC=/usr/local/bin/sievec
SRCS=$(wildcard *.sieve) OBJS=$(SRCS:.sieve=.svbin)
all: $(OBJS)
%.svbin : %.sieve $(SIEVEC) $? $@
On 8/2/2011 2:32 PM, Thomas Harold wrote:
On 8/1/2011 8:43 PM, Stephan Bosch wrote:
On 8/1/2011 10:11 PM, Thomas Harold wrote:
How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user?
http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
# cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin
sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner)
Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts.
Sorry, I may not have been clear before, I am trying to run sievec as root. So the error is confusing to me because it looks like sievec is trying to drop privs and do the compile as the vmail user. I haven't done anything special to the sievec file (like making it run as vmail or always run as root, SELinux is in permissive mode until I gather up enough entries in the audit log to make an audit2allow run useful).
# ls -la /usr/local/bin -rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec -rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump -rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using and what is your config (show dovecot -n output) ?
I suspect there may be a bug.
Regards,
Stephan.
On 8/2/2011 8:45 AM, Stephan Bosch wrote:
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using and what is your config (show dovecot -n output) ?
I suspect there may be a bug.
dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source this week. The dovecot package itself comes from ATRPMs and is 2.0.13.
Name : dovecot Arch : x86_64 Epoch : 1 Version : 2.0.13 Release : 1_129.el5 Size : 5.1 M Repo : installed Summary : Dovecot Secure imap server URL : http://www.dovecot.org/ License : MIT
Name : dovecot-devel Arch : x86_64 Epoch : 1 Version : 2.0.13 Release : 1_129.el5 Size : 667 k Repo : installed Summary : Libraries and headers for Dovecot URL : http://www.dovecot.org/ License : MIT
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server release 5.7 (Tikanga) auth_verbose_passwords = sha1 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1, 1.2.3.4 mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:~/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after/ sieve_before = /etc/dovecot/sieve/before/ sieve_dir = ~/sieve sieve_global_dir = /etc/dovecot/sieve/globalinclude/ } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { process_min_avail = 5 } service pop3-login { inet_listener pop3 { address = 1.2.3.4 } inet_listener pop3s { address = 1.2.3.4 } } ssl = required ssl_cert = </etc/pki/tls/private/certs/example_com.crt ssl_key = </etc/pki/tls/private/example_com.key protocol lda { log_path = /var/log/dovecot/dovecot-lda mail_plugins = " sieve" }
Mine has always behaved like this.
It looks up the root user in the auth database from the dovecot
config, and attemps to change to that user, and in this type of case
that would be vmail.
Then it attempts to check the mail_home and kind of fails, unless you
give vmail permission to that path that would be created using the
root user.
Quoting Thomas Harold <thomas-lists@nybeta.com>:
On 8/2/2011 8:45 AM, Stephan Bosch wrote:
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using and what is your config (show dovecot -n output) ?
I suspect there may be a bug.
dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source
this week. The dovecot package itself comes from ATRPMs and is
2.0.13.Name : dovecot Arch : x86_64 Epoch : 1 Version : 2.0.13 Release : 1_129.el5 Size : 5.1 M Repo : installed Summary : Dovecot Secure imap server URL : http://www.dovecot.org/ License : MIT
Name : dovecot-devel Arch : x86_64 Epoch : 1 Version : 2.0.13 Release : 1_129.el5 Size : 667 k Repo : installed Summary : Libraries and headers for Dovecot URL : http://www.dovecot.org/ License : MIT
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server
release 5.7 (Tikanga) auth_verbose_passwords = sha1 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1, 1.2.3.4 mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:~/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after/ sieve_before = /etc/dovecot/sieve/before/ sieve_dir = ~/sieve sieve_global_dir = /etc/dovecot/sieve/globalinclude/ } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { process_min_avail = 5 } service pop3-login { inet_listener pop3 { address = 1.2.3.4 } inet_listener pop3s { address = 1.2.3.4 } } ssl = required ssl_cert = </etc/pki/tls/private/certs/example_com.crt ssl_key = </etc/pki/tls/private/example_com.key protocol lda { log_path = /var/log/dovecot/dovecot-lda mail_plugins = " sieve" }
participants (3)
-
Patrick Domack
-
Stephan Bosch
-
Thomas Harold