On November 29, 2009 8:11:28 PM +0100 Thomas Leuxner <tlx@leuxner.net> wrote:

Am 29.11.2009 um 19:24 schrieb Frank Cusack:

...

dovecot-1.2.8 creates /var/run/dovecot mode 750.

I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.

Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)

I will say this: dovecot's error reporting in general is head and shoulders above the norm. Makes tracking down problems sooo much easier.

Something else I noticed, should the dict-server socket really be mode 777? At least a-x I would think.

-frank

Probably easier to tell if you would post your setup, but I guess this fixes it:

socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user= vmail group = vmail }

No, as that only affects the socket itself. If you look at the error message and my email you see that the problem is in the parent directory.

I do have user=vmail on the socket. I didn't set group=vmail but with mode 0600 that doesn't matter.

-frank

On November 29, 2009 8:40:13 PM +0100 Thomas Leuxner <tlx@leuxner.net> wrote:

Am 29.11.2009 um 20:31 schrieb Frank Cusack:

...

...

...

dovecot-1.2.8 creates /var/run/dovecot mode 750.

I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.

Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)

So it can't access that directory as it states. It would create that structure upon start to my knowledge. Mine is

[20:38] root spectre:/# l -d /var/run/dovecot drwxr-xr-x 3 root root 4096 2009-11-25 13:20 /var/run/dovecot

What is yours?

Mine is, as I noted in the very first line of my email, mode 750. I normally would have removed all of the quoted lines above but I left it so you can see back to the first line.

You are probably missing the information that this is new in dovecot-1.2.8. Prior to that, dovecot created /var/run/dovecot mode 777, which was a security hole.

I wasn't looking for a fix, I was reporting a problem. It only affects systems where /var/run is on tmpfs and so dovecot has to create /var/run/dovecot the first time it runs after a reboot.

Thanks for the look, though.

-frank

On November 29, 2009 9:31:22 PM -0500 Timo Sirainen <tss@iki.fi> wrote:

On Nov 29, 2009, at 1:24 PM, Frank Cusack wrote:

...

dovecot-1.2.8 creates /var/run/dovecot mode 750.

No, it creates it with mode 0755. Did you compile from sources? Are you sure it's 0750 if you rm -rf the directory and start "dovecot" binary directly (instead of e.g. some init script creating it)?

You're right, thank you. I am using 1.2.8 from source but my init script still has the directory creation itself as well ... which sets the wrong mode.

-frank