/var/run/dovecot permission issues
I have an issue that surfaced when I tried to start using the new metrics service, but it looks like it may be a more generic issue.
When I enabled stats and started dovecot, I got the following error in the log:
Error: stats: open(/var/run/dovecot/stats-mail) failed: Permission denied
/var/run/dovecot/stats-mail did not exist. /var/run/dovecot/ existed, owned by root, which apparently was preventing dovecot from creating stats-mail. On advice from another list subscriber, I changed the ownership of /var/run/dovecot to the dovecot user. This doesn’t help.
Apparently /var/run/dovecot is deleted by dovecot when it shuts down, and recreated, with root ownership, when it restarts. stats-mail is created, with root ownership. Is there something I need to change to prevent dovecot from creating this directory owned by root? I was unaware of any problems before trying to enable stats, but the ownership of files in that directory is a mixed bag
$ ls -l /var/run/dovecot total 20 srw------- 1 root wheel 0 Aug 17 09:05 anvil srw------- 1 root wheel 0 Aug 17 09:05 anvil-auth-penalty srw------- 1 dovecot wheel 0 Aug 17 09:05 auth-client srw------- 1 dovecot wheel 0 Aug 17 09:05 auth-login srw-rw---- 1 alias qnofiles 0 Aug 17 09:05 auth-master -rw------- 1 root wheel 32 Aug 17 09:05 auth-token-secret.dat srw-rw-rw- 1 dovecot wheel 0 Aug 17 09:05 auth-userdb srw------- 1 dovecot wheel 0 Aug 17 09:05 auth-worker srw------- 1 root wheel 0 Aug 17 09:05 config srw------- 1 root wheel 0 Aug 17 09:05 dict srw------- 1 root wheel 0 Aug 17 09:05 dict-async srw------- 1 root wheel 0 Aug 17 09:05 director-admin srw-rw-rw- 1 root wheel 0 Aug 17 09:05 dns-client srw------- 1 root wheel 0 Aug 17 09:05 doveadm-server lrwx------ 1 root wheel 35 Aug 17 09:05 dovecot.conf -> /usr/local/etc/dovecot/dovecot.conf drwxr-xr-x 2 root wheel 512 Aug 17 09:05 empty srw------- 1 root wheel 0 Aug 17 09:05 imap-hibernate srw------- 1 root wheel 0 Aug 17 09:05 imap-master srw-rw-rw- 1 root wheel 0 Aug 17 09:05 imap-urlauth srw------- 1 dovecot wheel 0 Aug 17 09:05 imap-urlauth-worker srw-rw-rw- 1 root wheel 0 Aug 17 09:05 indexer srw------- 1 dovecot wheel 0 Aug 17 09:05 indexer-worker srw------- 1 root wheel 0 Aug 17 09:05 ipc srw------- 1 root wheel 0 Aug 17 09:05 log-errors drwxr-x--- 2 root dovenull 512 Aug 17 09:05 login srw------- 1 root wheel 0 Aug 17 09:05 master -rw------- 1 root wheel 6 Aug 17 09:05 master.pid srw------- 1 root wheel 0 Aug 17 09:05 replication-notify prw------- 1 root wheel 0 Aug 17 09:05 replication-notify-fifo srw------- 1 dovecot wheel 0 Aug 17 09:05 replicator srw-rw-rw- 1 root wheel 0 Aug 17 09:05 ssl-params srw------- 1 root wheel 0 Aug 17 09:05 stats prw------- 1 root wheel 0 Aug 17 09:05 stats-mail prw------- 1 root wheel 0 Aug 17 09:05 stats-user drwxr-x--- 2 root dovenull 512 Aug 17 09:05 token-login
$ doveconf -n # 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.19 (e5c7051) # OS: FreeBSD 11.0-RELEASE-p9 amd64 auth_stats = yes auth_verbose = yes default_vsz_limit = 128 M lock_method = flock mail_location = maildir:~/Maildir mail_plugins = " stats" mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vnd.dovecot.pipe vnd.dovecot.execute namespace inbox { inbox = yes location = prefix = } passdb { args = imap driver = pam } plugin { recipient_delimiter = - sieve = file:~/sieve;active=~/.dovecot.sieve sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve-pipe sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve-pipe sieve_pipe_exec_timeout = 10s sieve_plugins = sieve_extprograms stats_refresh = 30s } protocols = imap service auth { unix_listener auth-master { group = qnofiles mode = 0660 user = alias } user = root } service imap-login { process_min_avail = 3 vsz_limit = 94 M } ssl_cert =
On Aug 17, 2017, at 9:19 AM, Matt Simpson dclist@list.jmatt.net wrote:
I have an issue that surfaced when I tried to start using the new metrics service, but it looks like it may be a more generic issue.
When I took a closer look at this, it might be a problem with the FreeBSD packaging of dovecot, and not in dovecot itself.
I’m running FreeBSD 11, and installed dovecot as a package using standard FreeBSD package utilities. The install process creates a start/stop script, and that script is creating the /var/run/dovecot directory at startup and removing it at shutdown.
The command which creates the directory is
/usr/bin/install -o root -g wheel -m 0755 -d ${base_dir}
which apparently just creates a directory with the specified owner and group.
At this point, I’m a little confused about the best way to proceed. Any other FreeBSD dovecot users here? Currently, it looks like the startup script is creating /var/run/dovecot, owned by root. Then dovecot creates /var/run/dovecot/stats-mail, also owned by root. I could possibly alter the startup script to create /var/run/dovecot owned by dovecot instead of root, but I don’t think that will change the ownership of stats-mail, which seems to be created by dovecot running as root, and then attempted to write by dovecot running as a different user. Does anybody know what’s going on here?
In /usr/local/etc/dovecot/conf.d/90-plugin.conf:
service stats { chroot = empty client_limit = 0 drop_priv_before_exec = no executable = stats extra_groups = fifo_listener stats-mail { group = mode = 0666 user = } fifo_listener stats-user { group = mode = 0666 user = } group = idle_kill = 4294967295 secs privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener stats { group = mode = 0666 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B }
-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: larryrtx@gmail.com US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
On 8/17/17, 11:04 AM, "dovecot on behalf of Matt Simpson"
> On Aug 17, 2017, at 9:19 AM, Matt Simpson <dclist@list.jmatt.net> wrote:
>
> I have an issue that surfaced when I tried to start using the new metrics service, but it looks like it may be a more generic issue.
>
When I took a closer look at this, it might be a problem with the FreeBSD packaging of dovecot, and not in dovecot itself.
I’m running FreeBSD 11, and installed dovecot as a package using standard FreeBSD package utilities. The install process creates a start/stop script, and that script is creating the /var/run/dovecot directory at startup and removing it at shutdown.
The command which creates the directory is
/usr/bin/install -o root -g wheel -m 0755 -d ${base_dir}
which apparently just creates a directory with the specified owner and group.
At this point, I’m a little confused about the best way to proceed. Any other FreeBSD dovecot users here? Currently, it looks like the startup script is creating /var/run/dovecot, owned by root. Then dovecot creates /var/run/dovecot/stats-mail, also owned by root. I could possibly alter the startup script to create /var/run/dovecot owned by dovecot instead of root, but I don’t think that will change the ownership of stats-mail, which seems to be created by dovecot running as root, and then attempted to write by dovecot running as a different user. Does anybody know what’s going on here?On Aug 17, 2017, at 12:07 PM, Larry Rosenman larryrtx@gmail.com wrote:
In /usr/local/etc/dovecot/conf.d/90-plugin.conf:
Thanks. Those config statements fixed the problem.
I'm glad to read this thread. I didn't even know that dovecot stats existed.
Which statistics do you find most useful?
Bill
On 8/17/2017 3:31 PM, Matt Simpson wrote:
On Aug 17, 2017, at 12:07 PM, Larry Rosenman larryrtx@gmail.com wrote:
In /usr/local/etc/dovecot/conf.d/90-plugin.conf: Thanks. Those config statements fixed the problem.
On 8/17/2017 7:07 PM, Larry Rosenman wrote:
In /usr/local/etc/dovecot/conf.d/90-plugin.conf:
It should be enough to just set permissions as other options are defaults.
/usr/local/etc/dovecot/conf.d/10-master.conf :
service stats { fifo_listener stats-mail { mode = 0666 } fifo_listener stats-user { mode = 0666 } unix_listener stats { mode = 0666 } }
BTW I'm not sure if write permissions on 'stats-user' and 'stats' listeners are required for metrics service. At least I have no evidence if Dovecot ever tried to write to that listeners. Probably it is enough to set write permissions on 'stats-mail'.
participants (4)
-
Alexander Moisseev
-
Bill Shirley
-
Larry Rosenman
-
Matt Simpson