[Dovecot] quota sql dict permissions dilemma
Hi!
I'm trying to set up SQL based dict quota. The quota is working, gets updated but I had to configure really loose file permission to make it work:
dovecot.conf: dict { quota = pgsql:/etc/dovecot/dovecot_dict-sql.conf }
service dict { unix_listener dict { mode = 0660 group = vmail # sidenote: I noticed that writing the number equivalent # of 'vmail' here does not work. Why? } }
# ~ls -la /etc/dovecot/dovecot_dict-sql.conf -rw-r----- root vmail dovecot_dict-sql.conf
# ~ls -la /var/dovecot/dict srw-rw---- root vmail /var/dovecot/dict=
Every virtual user lookup returns a 'gid' field, and it is always 'vmail' (actually it is the number equivalent of 'vmail'). Despite that the imap process should run as the 'uid' and 'gid' values returned from the userdb, it can not read the dict config file:
dovecot.log: dict: Error: Can't open configuration file /etc/dovecot/dovecot_dict-sql.conf: Permission denied dict: Error: Failed to initialize dictionary 'quota' lda(<username>): Error: read(/var/dovecot//dict) failed: Remote disconnected
Now I must set o+r to the config file, which I really don't want to, given that it contains the db username and password. Strange thing is that the group r/w permission is enough for the dict= socket, and it doesn't need world-wide permissions at all.
Daniel
-- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
"LEVAI Daniel" leva@ecentrum.hu wrote on 16.10.2010 10:15:45:
Hi!
I'm trying to set up SQL based dict quota. The quota is working, gets updated but I had to configure really loose file permission to make it work:
dovecot.conf: dict { quota = pgsql:/etc/dovecot/dovecot_dict-sql.conf }
service dict { unix_listener dict { mode = 0660 group = vmail # sidenote: I noticed that writing the number equivalent # of 'vmail' here does not work. Why? } }
# ~ls -la /etc/dovecot/dovecot_dict-sql.conf -rw-r----- root vmail dovecot_dict-sql.conf
# ~ls -la /var/dovecot/dict srw-rw---- root vmail /var/dovecot/dict=
Every virtual user lookup returns a 'gid' field, and it is always 'vmail' (actually it is the number equivalent of 'vmail'). Despite that the imap process should run as the 'uid' and 'gid' values returned from the userdb, it can not read the dict config file:
dovecot.log: dict: Error: Can't open configuration file /etc/dovecot/dovecot_dict-sql.conf: Permission denied dict: Error: Failed to initialize dictionary 'quota' lda(<username>): Error: read(/var/dovecot//dict) failed: Remote disconnected
Now I must set o+r to the config file, which I really don't want to, given that it contains the db username and password. Strange thing is that the group r/w permission is enough for the dict= socket, and it doesn't need world-wide permissions at all.
Daniel
Hi, this are my settings:
service dict { unix_listener dict { mode = 0600 group = vmail } }
The owner of dovecot-dict-sql.conf.ext is root:dovecot with read permissions for the group.
Reposted to group... Regards, Miha
-- It's time to get rid of your current e-mail client ... ... and start using si.Mail.
It's small & free. ( http://www.simail.si/ )
On Sat, Oct 16, 2010 at 19:09:12 +0200, Miha Vrhovnik wrote:
"LEVAI Daniel" leva@ecentrum.hu wrote on 16.10.2010 10:15:45:
Hi!
I'm trying to set up SQL based dict quota. The quota is working, gets updated but I had to configure really loose file permission to make it work: [...] Hi, this are my settings:
service dict { unix_listener dict { mode = 0600 group = vmail } }
The owner of dovecot-dict-sql.conf.ext is root:dovecot with read permissions for the group. [...]
Thanks, it makes sense, and is working.
Daniel
-- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
participants (2)
-
LEVAI Daniel
-
Miha Vrhovnik