doveadm: Error: open(/proc/self/io) failed
Hi,
I am running dovecot-2.2.36-3.el7.x86_64 on a Centos 7 machine. I keep seeing the following errors in the dovecot.log: Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: Permission denied
Dovecot -n is listed below: # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.24 (124e06aa) # OS: Linux 3.10.0-957.21.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) # Hostname: vmail2.kmg.mydomain.com auth_master_user_separator = * auth_mechanisms = PLAIN LOGIN deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, %$ dict { acl = mysql:/etc/dovecot/dovecot-share-folder.conf quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf } doveadm_password = # hidden, use -P to show it doveadm_port = 2525 first_valid_uid = 2000 last_valid_uid = 2000 mail_gid = 2000 mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/ mail_plugins = quota mailbox_alias acl mail_log notify stats replication mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace { inbox = yes location = mailbox Archive { auto = no special_use = \Archive } mailbox Archives { auto = no special_use = \Archive } mailbox "Deleted Messages" { auto = no special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox "Junk E-mail" { auto = no special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Items" { auto = no special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = no special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } namespace { list = children location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln prefix = Shared/%%u/ separator = / subscriptions = yes type = shared } passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-master-users driver = passwd-file master = yes } plugin { acl = vfile acl_shared_dict = proxy::acl fts_autoindex = yes fts_autoindex_max_recent_msgs = 50 imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge mailbox_delete mailbox_rename mail_log_fields = uid box msgid size from subject mail_replica = tcp:vmail1.kmg.mydomain.com mailbox_alias_new = Sent Messages mailbox_alias_new2 = Sent Items mailbox_alias_old = Sent mailbox_alias_old2 = Sent quota = dict:user::proxy::quotadict quota_grace = 10%% quota_warning = storage=100%% quota-warning 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u sieve = ~/sieve/dovecot.sieve sieve_before = /var/vmail/sieve/dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /var/vmail/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_max_redirects = 30 sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_send_from_recipient = yes stats_refresh = 30 secs stats_track_cmds = yes } protocols = pop3 imap sieve lmtp service aggregator { fifo_listener replication-notify-fifo { user = vmail } unix_listener replication-notify { user = vmail } } service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service config { unix_listener config { user = vmail } } service dict { unix_listener dict { group = vmail mode = 0660 user = vmail } } service doveadm { inet_listener { port = 2525 } user = vmail } service imap-login { process_limit = 500 service_count = 1 } service lmtp { executable = lmtp -L inet_listener lmtp { address = 127.0.0.1 port = 24 } process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } service pop3-login { service_count = 1 } service quota-warning { executable = script /usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { group = vmail mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0644 user = vmail } inet_listener { address = 127.0.0.1 port = 24242 } } ssl = required ssl_cert = </etc/pki/tls/certs/my_cert.crt ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 ssl_client_ca_file = /etc/pki/tls/cert.pem ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes syslog_facility = local5 userdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } protocol lda { lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_plugins = quota mailbox_alias acl mail_log notify stats replication sieve } protocol lmtp { lmtp_save_to_detail_mailbox = yes mail_plugins = quota sieve recipient_delimiter = + } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_max_userip_connections = 30 mail_plugins = quota mailbox_alias acl mail_log notify stats replication imap_quota imap_acl imap_stats imap_sieve } protocol pop3 { mail_max_userip_connections = 30 mail_plugins = quota mailbox_alias acl mail_log notify stats replication pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv }
Everything seems to be working properly and the dovecot wiki says that /proc/self/io is for statistics. I am thinking they are harmless but they are generating a bunch of noise in the logs and if harmless, I would like to silence them.
Can someone let me know what causes this and if I should be concerned about this?
My Google foo has not been helpful on this.
Regards,
-- Tom me@tdiehl.org
Does anyone have an Idea how to fix this?
Regards,
-- Tom me@tdiehl.org
On Mon, 22 Jul 2019, Tom Diehl via dovecot wrote:
Hi,
I am running dovecot-2.2.36-3.el7.x86_64 on a Centos 7 machine. I keep seeing the following errors in the dovecot.log: Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: Permission denied
Dovecot -n is listed below: # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.24 (124e06aa) # OS: Linux 3.10.0-957.21.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 # (Core) Hostname: vmail2.kmg.mydomain.com auth_master_user_separator = * auth_mechanisms = PLAIN LOGIN deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, %$ dict { acl = mysql:/etc/dovecot/dovecot-share-folder.conf quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf } doveadm_password = # hidden, use -P to show it doveadm_port = 2525 first_valid_uid = 2000 last_valid_uid = 2000 mail_gid = 2000 mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/ mail_plugins = quota mailbox_alias acl mail_log notify stats replication mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace { inbox = yes location = mailbox Archive { auto = no special_use = \Archive } mailbox Archives { auto = no special_use = \Archive } mailbox "Deleted Messages" { auto = no special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox "Junk E-mail" { auto = no special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Items" { auto = no special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = no special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } namespace { list = children location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln prefix = Shared/%%u/ separator = / subscriptions = yes type = shared } passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-master-users driver = passwd-file master = yes } plugin { acl = vfile acl_shared_dict = proxy::acl fts_autoindex = yes fts_autoindex_max_recent_msgs = 50 imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge mailbox_delete mailbox_rename mail_log_fields = uid box msgid size from subject mail_replica = tcp:vmail1.kmg.mydomain.com mailbox_alias_new = Sent Messages mailbox_alias_new2 = Sent Items mailbox_alias_old = Sent mailbox_alias_old2 = Sent quota = dict:user::proxy::quotadict quota_grace = 10%% quota_warning = storage=100%% quota-warning 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u sieve = ~/sieve/dovecot.sieve sieve_before = /var/vmail/sieve/dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /var/vmail/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_max_redirects = 30 sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_send_from_recipient = yes stats_refresh = 30 secs stats_track_cmds = yes } protocols = pop3 imap sieve lmtp service aggregator { fifo_listener replication-notify-fifo { user = vmail } unix_listener replication-notify { user = vmail } } service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service config { unix_listener config { user = vmail } } service dict { unix_listener dict { group = vmail mode = 0660 user = vmail } } service doveadm { inet_listener { port = 2525 } user = vmail } service imap-login { process_limit = 500 service_count = 1 } service lmtp { executable = lmtp -L inet_listener lmtp { address = 127.0.0.1 port = 24 } process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } service pop3-login { service_count = 1 } service quota-warning { executable = script /usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { group = vmail mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0644 user = vmail } inet_listener { address = 127.0.0.1 port = 24242 } } ssl = required ssl_cert = </etc/pki/tls/certs/my_cert.crt ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 ssl_client_ca_file = /etc/pki/tls/cert.pem ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes syslog_facility = local5 userdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } protocol lda { lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_plugins = quota mailbox_alias acl mail_log notify stats replication sieve } protocol lmtp { lmtp_save_to_detail_mailbox = yes mail_plugins = quota sieve recipient_delimiter = + } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_max_userip_connections = 30 mail_plugins = quota mailbox_alias acl mail_log notify stats replication imap_quota imap_acl imap_stats imap_sieve } protocol pop3 { mail_max_userip_connections = 30 mail_plugins = quota mailbox_alias acl mail_log notify stats replication pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv }
Everything seems to be working properly and the dovecot wiki says that /proc/self/io is for statistics. I am thinking they are harmless but they are generating a bunch of noise in the logs and if harmless, I would like to silence them.
Can someone let me know what causes this and if I should be concerned about this?
My Google foo has not been helpful on this.
Regards,
Am 30.07.2019 um 19:33 schrieb Reio Remma via dovecot:
On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
Does anyone have an Idea how to fix this?
Regards,
Perhaps see if there are any denials in SELinux audit log:
sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a
Good luck, Reio
The proper search for dovecot AVCs would be:
aausearch -m avc -c dovecot | audit2why
audit2allow is not that helpful in the first approach.
Alexander
On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:
On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
Does anyone have an Idea how to fix this?
Perhaps see if there are any denials in SELinux audit log:
Selinux is in permissive.
If I do: (vmail1 pts9) # ll /proc/self/io -r-------- 1 root root 0 Jul 30 15:27 /proc/self/io (vmail1 pts9) #
It is obvious to me why I get permission denied. The problem is you cannot chmod on /proc. I suspect I have something mis-configured but the question is what?
Regards,
-- Tom me@tdiehl.org
On 30 Jul 2019, at 22.53, Tom Diehl via dovecot <dovecot@dovecot.org> wrote:
On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:
On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
Does anyone have an Idea how to fix this?
Perhaps see if there are any denials in SELinux audit log:
Selinux is in permissive.
If I do: (vmail1 pts9) # ll /proc/self/io -r-------- 1 root root 0 Jul 30 15:27 /proc/self/io (vmail1 pts9) #
It is obvious to me why I get permission denied. The problem is you cannot chmod on /proc. I suspect I have something mis-configured but the question is what?
service lmtp { executable = lmtp -L inet_listener lmtp { address = 127.0.0.1 port = 24 } process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail }
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that.
Sami
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
service lmtp { user = vmail }
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that.
Hello Sami,
I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. Could you proof that statement somehow?
Andreas
On 31 Jul 2019, at 20.45, A. Schulze via dovecot <dovecot@dovecot.org> wrote:
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
service lmtp { user = vmail }
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that.
Hello Sami,
I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. Could you proof that statement somehow?
Alternative is:
service lmtp { user = vmail drop_priv_before_exec = yes }
I'm not sure if you run into other problems with that.
On Thu, 1 Aug 2019, Timo Sirainen via dovecot wrote:
On 31 Jul 2019, at 20.45, A. Schulze via dovecot <dovecot@dovecot.org> wrote:
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
service lmtp { user = vmail }
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialization but it needs to open /self/proc/io as root before that.
Hello Sami,
I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. Could you proof that statement somehow?
Alternative is:
service lmtp { user = vmail drop_priv_before_exec = yes }
I'm not sure if you run into other problems with that.
OK, so now I am confused. At https://wiki.dovecot.org/LMTP#Security it says "If you're using only a single global UID/GID, you can improve security by running lmtp processes as that user"
So, if I am using a single UID/GID, then is the above wiki article correct or do I need to change my config?
Regards,
-- Tom me@tdiehl.org
On 6.8.2019 4.20, Tom Diehl via dovecot wrote:
On Thu, 1 Aug 2019, Timo Sirainen via dovecot wrote:
On 31 Jul 2019, at 20.45, A. Schulze via dovecot <dovecot@dovecot.org> wrote:
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
service lmtp { user = vmail }
please remove user = vmail from here or change it to root.
for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialization but it needs to open /self/proc/io as root before that.
Hello Sami,
I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. Could you proof that statement somehow?
Alternative is:
service lmtp { user = vmail drop_priv_before_exec = yes }
I'm not sure if you run into other problems with that.
OK, so now I am confused. At https://wiki.dovecot.org/LMTP#Security it says "If you're using only a single global UID/GID, you can improve security by running lmtp processes as that user"
So, if I am using a single UID/GID, then is the above wiki article correct or do I need to change my config?
Regards,
This file is used for stats gathering, so if you are not using stats, it's not a huge problem. You can probably also use
import_environment = PR_SET_DUMPABLE=1
to get rid of the warning. Although this makes your process less secure as it can be ptrace'd.
Aki
Hi Sami,
Thanks, for taking the time to look at this.
For the archives, the resolution is in line below.
On Wed, 31 Jul 2019, Sami Ketola wrote:
On 30 Jul 2019, at 22.53, Tom Diehl via dovecot <dovecot@dovecot.org> wrote:
On Tue, 30 Jul 2019, Reio Remma via dovecot wrote:
On 30.07.2019 20:07, Tom Diehl via dovecot wrote:
Does anyone have an Idea how to fix this?
Perhaps see if there are any denials in SELinux audit log:
Selinux is in permissive.
If I do: (vmail1 pts9) # ll /proc/self/io -r-------- 1 root root 0 Jul 30 15:27 /proc/self/io (vmail1 pts9) #
It is obvious to me why I get permission denied. The problem is you cannot chmod on /proc. I suspect I have something mis-configured but the question is what?
service lmtp { executable = lmtp -L inet_listener lmtp { address = 127.0.0.1 port = 24 } process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail }
please remove user = vmail from here or change it to root.
Actually the above works OK but you gave me the clue I needed to find the actual problem. I looked at the log message again and realized that it says doveadm is having problems. Something like this: Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: Permission denied
So I took your advice and found that I had the following in my dsync config: service doveadm { inet_listener { port = 2525 } user = vmail }
Removing the user = vmail above fixed the problem.
Thanks again.
Regards,
-- Tom me@tdiehl.org
On 1 Aug 2019, at 1.51, Tom Diehl via dovecot <dovecot@dovecot.org> wrote:
Actually the above works OK but you gave me the clue I needed to find the actual problem. I looked at the log message again and realized that it says doveadm is having problems. Something like this: Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: Permission denied
So I took your advice and found that I had the following in my dsync config: service doveadm { inet_listener { port = 2525 } user = vmail }
Removing the user = vmail above fixed the problem.
Yes, I forgot to mention that the same thing applies to doveadm too.
Sami
participants (7)
-
A. Schulze
-
Aki Tuomi
-
Alexander Dalloz
-
me@tdiehl.org
-
Reio Remma
-
Sami Ketola
-
Timo Sirainen