CRAM MD5 passwd db permission issue
I am busy migrating. I am moving from macOS+MacPorts to Ubuntu+Docker
On the old system, I have this in the dovecot config: mail_uid = _dovecot mail_gid = mail mail_privileged_group = mail mail_access_groups = mail
This seems weird to me, I think the dovecot user should be in group dovecot only if I understand the docs. On the old system dovecot, postfix, dovenull and rspamd are all members of the mail group.
On that system, the cram md5 passwd database (file) has these permissions:
drwxr-xr-x 3 root wheel 96 Feb 2 2021 . drwxr-xr-x 22 root admin 704 Jan 4 15:17 .. -rw-r----- 1 root mail 1234 Feb 2 2021 cram-md5.pwd
and that has worked like that for many years, basically starting with Mac OS X Server, surviving all kinds of macOS migrations.
On my new Ubuntu system I've copied this setup over: drwxr-xr-x 2 root root 4096 Jan 4 09:49 . drwxr-xr-x 7 root root 4096 Jan 4 15:21 .. -rw-r----- 1 root mail 1234 Feb 2 2021 cram-md5.pwd
mail_uid = dovecot mail_gid = mail mail_privileged_group = mail mail_access_groups = mail
But: Jan 04 15:40:08 auth: Error: passwd-file /etc/dovecot/etc/cram-md5.pwd:open(/etc/dovecot/etc/cram-md5.pwd) failed: Permission denied (euid=91(dovecot) egid=91(dovecot) missing +r perm: /etc/dovecot/etc/cram-md5.pwd, we're not in group 8(mail), dir owned by 0:0 mode=0755)
And really, dovecot is in group mail. From /etc/group: mail:x:8:postfix,dovecot dovenull:x:90: dovecot:x:91: And from /etc/passwd: dovenull:x:90:90::/home/dovenull:/usr/sbin/nologin dovecot:x:91:91::/home/dovecot:/usr/sbin/nologin
So, that I get this error baffles me.
Gerben Wierda (LinkedIn https://www.linkedin.com/in/gerbenwierda) R&A IT Strategy https://ea.rna.nl/ (main site) Book: Chess and the Art of Enterprise Architecture https://ea.rna.nl/the-book/ Book: Mastering ArchiMate https://ea.rna.nl/the-book-edition-iii/
On 04/01/2023 17:59 EET Gerben Wierda gerben.wierda@rna.nl wrote:
I am busy migrating. I am moving from macOS+MacPorts to Ubuntu+Docker
On the old system, I have this in the dovecot config: mail_uid = _dovecot mail_gid = mail mail_privileged_group = mail mail_access_groups = mail
These settings do not govern auth process access to this file.
This seems weird to me, I think the dovecot user should be in group dovecot only if I understand the docs. On the old system dovecot, postfix, dovenull and rspamd are all members of the mail group.
On that system, the cram md5 passwd database (file) has these permissions:
drwxr-xr-x 3 root wheel 96 Feb 2 2021 . drwxr-xr-x 22 root admin 704 Jan 4 15:17 .. -rw-r----- 1 root mail 1234 Feb 2 2021 cram-md5.pwd
This should be root:dovecot
and that has worked like that for many years, basically starting with Mac OS X Server, surviving all kinds of macOS migrations.
On my new Ubuntu system I've copied this setup over: drwxr-xr-x 2 root root 4096 Jan 4 09:49. drwxr-xr-x 7 root root 4096 Jan 4 15:21.. -rw-r----- 1 root mail 1234 Feb 2 2021 cram-md5.pwd
mail_uid = dovecot mail_gid = mail mail_privileged_group = mail mail_access_groups = mail
But: Jan 04 15:40:08 auth: Error: passwd-file /etc/dovecot/etc/cram-md5.pwd:open(/etc/dovecot/etc/cram-md5.pwd) failed: Permission denied (euid=91(dovecot) egid=91(dovecot) missing +r perm: /etc/dovecot/etc/cram-md5.pwd, we're not in group 8(mail), dir owned by 0:0 mode=0755)
And really, dovecot is in group mail. From /etc/group: mail:x:8:postfix,dovecot dovenull:x:90: dovecot:x:91: And from /etc/passwd: dovenull:x:90:90::/home/dovenull:/usr/sbin/nologin dovecot:x:91:91::/home/dovecot:/usr/sbin/nologin
So, that I get this error baffles me.
Gerben Wierda (LinkedIn (https://www.linkedin.com/in/gerbenwierda)) R&A IT Strategy (https://ea.rna.nl/) (main site) Book: Chess and the Art of Enterprise Architecture (https://ea.rna.nl/the-book/) Book: Mastering ArchiMate (https://ea.rna.nl/the-book-edition-iii/)
Dovecot processes drop extra groups unless explicitly asked to retain those.
Aki
participants (2)
-
Aki Tuomi
-
Gerben Wierda