[Dovecot] /var/run/dovecot mode 750 too tight
dovecot-1.2.8 creates /var/run/dovecot mode 750.
I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.
Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)
I will say this: dovecot's error reporting in general is head and shoulders above the norm. Makes tracking down problems sooo much easier.
Something else I noticed, should the dict-server socket really be mode 777? At least a-x I would think.
-frank
Am 29.11.2009 um 19:24 schrieb Frank Cusack:
dovecot-1.2.8 creates /var/run/dovecot mode 750.
I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.
Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)
I will say this: dovecot's error reporting in general is head and shoulders above the norm. Makes tracking down problems sooo much easier.
Something else I noticed, should the dict-server socket really be mode 777? At least a-x I would think.
-frank
Probably easier to tell if you would post your setup, but I guess this fixes it:
socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user= vmail group = vmail }
Regards Thomas
On November 29, 2009 8:11:28 PM +0100 Thomas Leuxner tlx@leuxner.net wrote:
Am 29.11.2009 um 19:24 schrieb Frank Cusack:
dovecot-1.2.8 creates /var/run/dovecot mode 750.
I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.
Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)
I will say this: dovecot's error reporting in general is head and shoulders above the norm. Makes tracking down problems sooo much easier.
Something else I noticed, should the dict-server socket really be mode 777? At least a-x I would think.
-frank
Probably easier to tell if you would post your setup, but I guess this fixes it:
socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user= vmail group = vmail }
No, as that only affects the socket itself. If you look at the error message and my email you see that the problem is in the parent directory.
I do have user=vmail on the socket. I didn't set group=vmail but with mode 0600 that doesn't matter.
-frank
Am 29.11.2009 um 20:31 schrieb Frank Cusack:
dovecot-1.2.8 creates /var/run/dovecot mode 750.
I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.
Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)
So it can't access that directory as it states. It would create that structure upon start to my knowledge. Mine is
[20:38] root spectre:/# l -d /var/run/dovecot drwxr-xr-x 3 root root 4096 2009-11-25 13:20 /var/run/dovecot
What is yours?
Regards Thomas
On November 29, 2009 8:40:13 PM +0100 Thomas Leuxner tlx@leuxner.net wrote:
Am 29.11.2009 um 20:31 schrieb Frank Cusack:
dovecot-1.2.8 creates /var/run/dovecot mode 750.
I run postfix+dovecot in a virtual user setup. Postfix calls deliver as user vmail group vmail.
Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)
So it can't access that directory as it states. It would create that structure upon start to my knowledge. Mine is
[20:38] root spectre:/# l -d /var/run/dovecot drwxr-xr-x 3 root root 4096 2009-11-25 13:20 /var/run/dovecot
What is yours?
Mine is, as I noted in the very first line of my email, mode 750. I normally would have removed all of the quoted lines above but I left it so you can see back to the first line.
You are probably missing the information that this is new in dovecot-1.2.8. Prior to that, dovecot created /var/run/dovecot mode 777, which was a security hole.
I wasn't looking for a fix, I was reporting a problem. It only affects systems where /var/run is on tmpfs and so dovecot has to create /var/run/dovecot the first time it runs after a reboot.
Thanks for the look, though.
-frank
On Nov 29, 2009, at 1:24 PM, Frank Cusack wrote:
dovecot-1.2.8 creates /var/run/dovecot mode 750.
No, it creates it with mode 0755. Did you compile from sources? Are you sure it's 0750 if you rm -rf the directory and start "dovecot" binary directly (instead of e.g. some init script creating it)?
On November 29, 2009 9:31:22 PM -0500 Timo Sirainen tss@iki.fi wrote:
On Nov 29, 2009, at 1:24 PM, Frank Cusack wrote:
dovecot-1.2.8 creates /var/run/dovecot mode 750.
No, it creates it with mode 0755. Did you compile from sources? Are you sure it's 0750 if you rm -rf the directory and start "dovecot" binary directly (instead of e.g. some init script creating it)?
You're right, thank you. I am using 1.2.8 from source but my init script still has the directory creation itself as well ... which sets the wrong mode.
-frank
participants (3)
-
Frank Cusack
-
Thomas Leuxner
-
Timo Sirainen