[Dovecot] chdir failed, but requires group permissions
Using Debian Etch package dovecot-common and dovecot-pop3d, based on 1.0.rc15-2
My home directories are set up with 770 permissions as follows:
/home/<group name>/<user name>
Using this method, users MUST be a member of the appropriate group to access their own home directory. If they are not, they can't chdir past /home.
This appears to kill dovecot with a "chdir failed with id xxxx: Permission Denied" error, immediately after authenticating a pop3 user.
I was able to make a user the owner of the <group name> directory, and dovecot succeeded
But when the <group name> directory is owned by <group name>:<group name> and the user is a member of the group - the process dies.
Any suggestions?
On 4.4.2007, at 1.48, Brent Nesbitt wrote:
My home directories are set up with 770 permissions as follows:
/home/<group name>/<user name>
Using this method, users MUST be a member of the appropriate group to access their own home directory. If they are not, they can't chdir
past /home.
Could the group be the user's primary group? Then it works. Otherwise
there's not much else you can do except modify the sources.
Thanks for the suggestion,
That's a good idea, but unfortunately where the home directories lie, the users actually need to be members of 2 groups - so they both can't be primary.
However, it seems odd to me that Dovecot would REQUIRE access to the $HOME directory, when I am only using it to pop mail from /var/mail (which it has full access to) - and I am not using imap access at all.
Brent.
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Fri 4/6/2007 1:01 AM To: Brent Nesbitt Cc: dovecot@dovecot.org Subject: Re: [Dovecot] chdir failed, but requires group permissions
On 4.4.2007, at 1.48, Brent Nesbitt wrote:
My home directories are set up with 770 permissions as follows:
/home/<group name>/<user name>
Using this method, users MUST be a member of the appropriate group to access their own home directory. If they are not, they can't chdir
past /home.
Could the group be the user's primary group? Then it works. Otherwise
there's not much else you can do except modify the sources.
On 7.4.2007, at 20.35, Brent Nesbitt wrote:
However, it seems odd to me that Dovecot would REQUIRE access to
the $HOME directory, when I am only using it to pop mail from /var/ mail (which it has full access to) - and I am not using imap access
at all.
Well, you don't HAVE to give Dovecot any home directory at all. See
the bottom of http://wiki.dovecot.org/MailLocation/Mbox
Thanks - I hadn't seen that before.
If I'm understanding what you're getting at, you're referring to:
Modify mail_location setting so that the mail root directory is also the empty directory and append :INDEX=MEMORY to it. For example: mail_location = mbox:/var/empty:INBOX=/var/mail/%u:INDEX=MEMORY
Which unfortunately, doesn't work. Even with these settings, or putting mbox, INBOX, INDEX all in /var/mail - dovecot still fails after successful authentication with an error that it can't chdir to the mail user's home directory; which, of course, it can't - but again, it shouldn't need to.
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Sat 4/7/2007 10:43 AM To: Brent Nesbitt Cc: dovecot@dovecot.org Subject: Re: [Dovecot] chdir failed, but requires group permissions
On 7.4.2007, at 20.35, Brent Nesbitt wrote:
However, it seems odd to me that Dovecot would REQUIRE access to
the $HOME directory, when I am only using it to pop mail from /var/ mail (which it has full access to) - and I am not using imap access
at all.
Well, you don't HAVE to give Dovecot any home directory at all. See
the bottom of http://wiki.dovecot.org/MailLocation/Mbox
On 7.4.2007, at 21.56, Brent Nesbitt wrote:
Which unfortunately, doesn't work. Even with these settings, or
putting mbox, INBOX, INDEX all in /var/mail - dovecot still fails
after successful authentication with an error that it can't chdir
to the mail user's home directory; which, of course, it can't - but
again, it shouldn't need to.
Yes, but I meant that you could change the userdb not to return a
home directory at all for users. Or are you using passwd as userdb?
Then it gets trickier..
Yes, I am using passwd - as I also have webmail using these same logins - so changing the "actual" home directory won't work either.
At this point I am using popa3d instead of dovecot - but Dovecot is a much more capable program, so I thought it SHOULD have worked.
Brent.
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Sat 4/7/2007 12:33 PM To: Brent Nesbitt Cc: dovecot@dovecot.org Subject: Re: [Dovecot] chdir failed, but requires group permissions
On 7.4.2007, at 21.56, Brent Nesbitt wrote:
Which unfortunately, doesn't work. Even with these settings, or
putting mbox, INBOX, INDEX all in /var/mail - dovecot still fails
after successful authentication with an error that it can't chdir
to the mail user's home directory; which, of course, it can't - but
again, it shouldn't need to.
Yes, but I meant that you could change the userdb not to return a
home directory at all for users. Or are you using passwd as userdb?
Then it gets trickier..
On 7.4.2007, at 22.36, Brent Nesbitt wrote:
Yes, I am using passwd - as I also have webmail using these same
logins - so changing the "actual" home directory won't work either. At this point I am using popa3d instead of dovecot - but Dovecot is
a much more capable program, so I thought it SHOULD have worked.
Dovecot doesn't work that great with multiple groups currently. You
could always modify the sources to just disable the chdir(). It's not
that important. Perhaps I should just move it later after the
privileges are really dropped. I'm not actually sure why it's done
earlier. The code related to it is pretty huge already.
Ok, thanks - but I think that's beyond me right now. Perhaps I could just suggest it as a "feature" for future releases. Thanks for all your help!
Brent.
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Sat 4/7/2007 12:51 PM To: Brent Nesbitt Cc: dovecot@dovecot.org Subject: Re: [Dovecot] chdir failed, but requires group permissions
On 7.4.2007, at 22.36, Brent Nesbitt wrote:
Yes, I am using passwd - as I also have webmail using these same
logins - so changing the "actual" home directory won't work either. At this point I am using popa3d instead of dovecot - but Dovecot is
a much more capable program, so I thought it SHOULD have worked.
Dovecot doesn't work that great with multiple groups currently. You
could always modify the sources to just disable the chdir(). It's not
that important. Perhaps I should just move it later after the
privileges are really dropped. I'm not actually sure why it's done
earlier. The code related to it is pretty huge already.
participants (2)
-
Brent Nesbitt
-
Timo Sirainen