[Dovecot] LDA and auth-userdb socket permissions
Hi,
just wanted to check this as the wiki seems to have contradictory
information. With respect to running the LDA as multiple UIDs the wiki
says:
[QUOTE]If you're using more than one UID for users, you're going to
have problems running dovecot-lda, as most MTAs won't let you run
dovecot-lda as root[/QUOTE]
But in the example for the config file the text reads:
[QUOTE]
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail # User running dovecot-lda
#group = vmail # Or alternatively mode 0660 + dovecot-lda user in
this group
}
}
[/QUOTE]
So it says you can stick the LDA user just in the (vmail or whatever)
group and that is enough. So you aren't restricted to a single UID for
access anymore...
I tested this and the later did not work, that is if I put my LDA user
in the group for the auth-userdb socket with permissions 0660 I got an
error back from dovecot saying that the owner was incorrect.
So, as it stands I guess the bit about setting group should be removed
from the wiki?
Secondly, why doesn't this currently work? Why is the owner all important?
thanks Andy.
On 22.8.2011, at 14.22, a.smith@ukgrid.net wrote:
just wanted to check this as the wiki seems to have contradictory information. With respect to running the LDA as multiple UIDs the wiki says:
[QUOTE]If you're using more than one UID for users, you're going to have problems running dovecot-lda, as most MTAs won't let you run dovecot-lda as root[/QUOTE]
Yep, that's a problem.
But in the example for the config file the text reads:
[QUOTE] service auth { unix_listener auth-userdb { mode = 0600 user = vmail # User running dovecot-lda #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group } } [/QUOTE]
Now you've gone outside the "Multiple UIDs" section in the wiki. There are the 3 different sections of how to run dovecot-lda a different way:
- with a lookup
- without a lookup
- multiple UIDs
None of their documentation is compatible with each others.
Quoting Timo Sirainen tss@iki.fi:
But in the example for the config file the text reads:
[QUOTE] service auth { unix_listener auth-userdb { mode = 0600 user = vmail # User running dovecot-lda #group = vmail # Or alternatively mode 0660 + dovecot-lda user
in this group } } [/QUOTE]Now you've gone outside the "Multiple UIDs" section in the wiki.
There are the 3 different sections of how to run dovecot-lda a
different way:
- with a lookup
- without a lookup
- multiple UIDs
None of their documentation is compatible with each others.
Ok, I must be misunderstanding. I understand that the multiple UIDs
limitation relates to the fact that access to the auth-userdb socket
is restricted, is that incorrect? Following that forward, where the
example shows that you can set group access to the socket and change
permissions to 0660 I took to mean you can now have multiple users so
long as they are in the correct group (ie vmail). Which contradicts
the statement that you cannot work with multiple UIDs.
Can you put that straight if I got it wrong?
thanks in advance, Andy.
On 23.8.2011, at 19.10, a.smith@ukgrid.net wrote:
Now you've gone outside the "Multiple UIDs" section in the wiki. There are the 3 different sections of how to run dovecot-lda a different way:
- with a lookup
- without a lookup
- multiple UIDs
None of their documentation is compatible with each others.
Ok, I must be misunderstanding. I understand that the multiple UIDs limitation relates to the fact that access to the auth-userdb socket is restricted, is that incorrect?
No, that's the least of its troubles. If you can't run dovecot-lda as root, it won't be able to change its UID to the user's UID (and so won't have enough permissions to be able to write mails to user's mailbox). So you need to run dovecot-lda as root in some way, and after that it becomes pretty much irrelevant what auth-userdb's permissions are.
Quoting Timo Sirainen tss@iki.fi:
No, that's the least of its troubles. If you can't run dovecot-lda
as root, it won't be able to change its UID to the user's UID (and
so won't have enough permissions to be able to write mails to user's
mailbox). So you need to run dovecot-lda as root in some way, and
after that it becomes pretty much irrelevant what auth-userdb's
permissions are.
Hmmm, well in my setup dovecot-lda is called from Exim with "user="
set to a MySQL query. I'd guess that that means Exim runs dovecot-lda
as the user directly so I don't have the issue you mention above. But
where the permission on the auth-userdb socket are root:vmail 0660,
the dovecot-lda is called as vmail and the vmail user is a member of
the vmail group I get the error:
Aug 11 03:38:06 lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=25110(vmail) egid=25110(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
In the dovecot log when dovecot-lda is called. Hence I thought the
socket permissions where related to the multiple UID restriction...
thanks Andy.
On 23.8.2011, at 19.37, a.smith@ukgrid.net wrote:
No, that's the least of its troubles. If you can't run dovecot-lda as root, it won't be able to change its UID to the user's UID (and so won't have enough permissions to be able to write mails to user's mailbox). So you need to run dovecot-lda as root in some way, and after that it becomes pretty much irrelevant what auth-userdb's permissions are.
Hmmm, well in my setup dovecot-lda is called from Exim with "user=" set to a MySQL query.
Are you sure you even need Dovecot to do a userdb lookup then? If Exim can set up also the other needed things (home dir?) it shouldn't be necessary.
I'd guess that that means Exim runs dovecot-lda as the user directly so I don't have the issue you mention above. But where the permission on the auth-userdb socket are root:vmail 0660, the dovecot-lda is called as vmail and the vmail user is a member of the vmail group I get the error:
Aug 11 03:38:06 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=25110(vmail) egid=25110(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner)
Hmm. So if dovecot-lda is running as vmail group and /var/run/dovecot/auth-userdb has group=vmail and 0660 permissions, this error shouldn' t happen. Check two things:
ls -ln /var/run/dovecot/auth-userdb actually shows group as 25110 and mode being 0660
If you've any SELinux or app-armor stuff enabled, try disabling them
Quoting Timo Sirainen tss@iki.fi:
Hmmm, well in my setup dovecot-lda is called from Exim with "user="
set to a MySQL query.Are you sure you even need Dovecot to do a userdb lookup then? If
Exim can set up also the other needed things (home dir?) it
shouldn't be necessary.
Yeah, I think I could do that. I followed the setup guide for Exim
from the Dovecot wiki and this is the first config I arrived at, which
works well apart from this little detail.
Hmm. So if dovecot-lda is running as vmail group and
/var/run/dovecot/auth-userdb has group=vmail and 0660 permissions,
this error shouldn' t happen. Check two things:
- ls -ln /var/run/dovecot/auth-userdb actually shows group as 25110
and mode being 0660
srw-rw---- 1 root mailnull 0 Aug 23 19:13 /var/run/dovecot/auth-userdb
- If you've any SELinux or app-armor stuff enabled, try disabling them
Im running FreeBSD so no SELinux here.
In my test, actually what I have is a vmail user with primary group
vmail and secondary group mailnull. Which as mentioned results in this
error:
Aug 23 19:19:13 lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=25110(vmail) egid=25110(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
It did cross my mind it was a bug, but then I thought the
documentation just was wrong on the wiki...
no, I did explain this later in my last email....
Quoting Timo Sirainen tss@iki.fi:
On Tue, 2011-08-23 at 19:27 +0100, a.smith@ukgrid.net wrote:
srw-rw---- 1 root mailnull 0 Aug 23 19:13 /var/run/dovecot/auth-userdb
That's not vmail group as you said..
On Tue, 2011-08-23 at 19:27 +0100, a.smith@ukgrid.net wrote:
In my test, actually what I have is a vmail user with primary group
vmail and secondary group mailnull. Which as mentioned results in this
error:
It doesn't actually matter what groups you have assigned to vmail user. Dovecot only enables the primary group (and not even that if you've overridden it in config), and apparently Exim does the same too.
The supplementary groups don't automatically get enabled when process's UID switched, it requires explicit extra code to do it. In most installations this is just useless extra work and a potential accidental security hole.
Quoting Timo Sirainen tss@iki.fi:
On Tue, 2011-08-23 at 19:27 +0100, a.smith@ukgrid.net wrote:
In my test, actually what I have is a vmail user with primary group vmail and secondary group mailnull. Which as mentioned results in this error:
It doesn't actually matter what groups you have assigned to vmail user. Dovecot only enables the primary group (and not even that if you've overridden it in config), and apparently Exim does the same too.
The supplementary groups don't automatically get enabled when process's UID switched, it requires explicit extra code to do it. In most installations this is just useless extra work and a potential accidental security hole.
Ok, I assumed that secondary groups are honoured in almost all
instances on a UNIX or Linux platform. I can add a note to the wiki
making it explicit that the group must be the primary group if you
think it's appropriate...
On Tue, 2011-08-23 at 20:38 +0100, a.smith@ukgrid.net wrote:
It doesn't actually matter what groups you have assigned to vmail user. Dovecot only enables the primary group (and not even that if you've overridden it in config), and apparently Exim does the same too.
The supplementary groups don't automatically get enabled when process's UID switched, it requires explicit extra code to do it. In most installations this is just useless extra work and a potential accidental security hole.
Ok, I assumed that secondary groups are honoured in almost all
instances on a UNIX or Linux platform. I can add a note to the wiki
making it explicit that the group must be the primary group if you
think it's appropriate...
It doesn't have to be the primary group. This is more of an Exim side problem that it doesn't assign the supplementary groups (if it did, it would have worked with dovecot-lda). I don't think the way you configured Exim to call dovecot-lda is explained anywhere in Dovecot wiki?
Quoting Timo Sirainen tss@iki.fi:
It doesn't have to be the primary group. This is more of an Exim side problem that it doesn't assign the supplementary groups (if it did, it would have worked with dovecot-lda). I don't think the way you configured Exim to call dovecot-lda is explained anywhere in Dovecot wiki?
I'm using the exact transport from the wiki
(http://wiki2.dovecot.org/LDA/Exim) but with the addition of setting
user and also I have a shadow transport configured. So, yes I do have
a couple of differences to what is shown in the wiki...
WRT my problem, I will work around it using primary groups or possibly
abolishing the option for users/domains to use any user other than
vmail. I don't think its necessary but its how I inherited this
particular mail setup...
thanks for your input,
cheers Andy.
On Di, 23 Aug 2011, a.smith at ukgrid.net wrote:
Quoting Timo Sirainen <tss at iki.fi>:
It doesn't have to be the primary group. This is more of an Exim side problem that it doesn't assign the supplementary groups (if it did, it would have worked with dovecot-lda). I don't think the way you
You probably can use the Exim transport (or router) option "initgroups".
Lutz
participants (3)
-
a.smith@ukgrid.net
-
Lutz Preßler
-
Timo Sirainen