Re: [Dovecot] Can't drop root group privileges
An update on my problem dropping root group privileges. I discovered this is a problem for a user if they are in the system group (gid 0). If I remove the user from the system group, and leave them in their primary group, I don't see the error.
I've tried setting first_valid_gid to something like 4, hoping dovecot would filter out gid 0, but that doesn't work.
Still searching for an answer...
Jackie
Hi all,
I need your insight. I've been testing Dovecot on an AIX 5.2 system. Compiled and running fine. We have some users on an AIX 5.1 system, so I'm working on installing it there, so we can do further testing.
I'm using Dovecot 1.0 RC15 with OpenSSL 9.0.7e, configured to use port 10143 (imap) and 10993 (imaps). The error I'm seeing in the log is:
dovecot: Nov 28 09:23:54 Info: imap-login: Login: user=<jackie>, method=PLAIN, r ip=xx.x.xxx.xxx, lip=xxx.xx.xxx.xx, TLS dovecot: Nov 28 09:23:54 Error: IMAP(jackie): We couldn't drop root group privil eges (wanted=200, gid=200, egid=0) dovecot: Nov 28 09:23:54 Error: child 860274 (imap) returned error 89
I've seen this error reported on the list, with the suggested resolution being to set the first_valid_gid = 0 in dovecot.conf. I've tried that, and nothing changes.
Any help would be greatly appreciated!
Jackie
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958 Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958
Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu
Found what was causing the problem!
In the file src/lib/restrict-access.c, in the restrict_access_by_env routine the code is in place to change to the login user's group and uid. After this, a check is done to see verify gid and egid are not 0 and [this is the gotcha] that gid can not be set to 0.
if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {
if (gid == 0)
i_fatal("GID 0 isn't permitted");
i_fatal("We couldn't drop root group privileges "
"(wanted=%s, gid=%s, egid=%s)", dec2str(gid),
dec2str(getgid()), dec2str(getegid()));
}
In our environment, some users are part of group 0 (system group), in addition to their primary group, so this operation is successful, and thus we see the error about not being about to drop root group privileges.
My solution is to change the first if statement to:
if (getgid() == 0 || getegid() == 0) {
since the setgid test is too restrictive for our environment.
Comments/suggestions/analysis welcome. Glad to know what is finally happening!
Jackie
An update on my problem dropping root group privileges. I discovered this is a problem for a user if they are in the system group (gid 0). If I remove the user from the system group, and leave them in their primary group, I don't see the error.
I've tried setting first_valid_gid to something like 4, hoping dovecot would filter out gid 0, but that doesn't work.
Still searching for an answer...
Jackie
Hi all,
I need your insight. I've been testing Dovecot on an AIX 5.2 system. Compiled and running fine. We have some users on an AIX 5.1 system, so I'm working on installing it there, so we can do further testing.
I'm using Dovecot 1.0 RC15 with OpenSSL 9.0.7e, configured to use port 10143 (imap) and 10993 (imaps). The error I'm seeing in the log is:
dovecot: Nov 28 09:23:54 Info: imap-login: Login: user=<jackie>, method=PLAIN, r ip=xx.x.xxx.xxx, lip=xxx.xx.xxx.xx, TLS dovecot: Nov 28 09:23:54 Error: IMAP(jackie): We couldn't drop root group privil eges (wanted=200, gid=200, egid=0) dovecot: Nov 28 09:23:54 Error: child 860274 (imap) returned error 89
I've seen this error reported on the list, with the suggested resolution being to set the first_valid_gid = 0 in dovecot.conf. I've tried that, and nothing changes.
Any help would be greatly appreciated!
Jackie
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958 Fort Collins, CO 80523 Email: jackie.hunt@colostate.eduJackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958 Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958
Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu
On Fri, 2006-12-01 at 11:35 -0700, Jackie Hunt wrote:
In our environment, some users are part of group 0 (system group), in addition to their primary group, so this operation is successful, and thus we see the error about not being about to drop root group privileges.
Usually the problem has been that user's primary group is the group 0. There were 2 bugs in this anyway, fixed both:
http://dovecot.org/list/dovecot-cvs/2006-December/006999.html
participants (2)
-
Jackie Hunt
-
Timo Sirainen