[Dovecot] setacl fails - does not find dovecot-acl file
Hi,
I'm using dovecot 2.0.13 that ships with Ubuntu 11.10. I tried setting up a shared namespace as documented in the wiki to enable the sharing of a mailbox between two users.
I have a Maildir(++) directory for each user. Each user has a system account. The Maildir of each user is owned by the user's system account and group read/writable by the group mail (hence mail_access_groups=mail).
Relevant parts of my config:
mail_plugins = acl mail_location = maildir:/home/dovecot/%u mail_access_groups = mail
namespace { type = private separator = / prefix = inbox = yes hidden = no subscriptions = yes } namespace { type = shared separator = / prefix = shared/%%u/ location = maildir:/home/dovecot/%%u:INDEX=/home/dovecot/%u/shared/%%u subscriptions = no list = children }
protocol imap { mail_plugins = $mail_plugins imap_acl }
plugin { acl = vfile } plugin { acl_shared_dict = file:/home/dovecot/shared-mailboxes }
When I try to create an ACL in a telnet session, the command fails with an internal error. The log shows:
dovecot: imap(michael): Error: fstat(/home/dovecot/michael/.test/dovecot-acl.lock) failed: No such file or directory dovecot: imap(michael): Error: file_dotlock_open(/home/dovecot/michael/.test/dovecot-acl) failed: No such file or directory
The error occurs whether a (manually created) dovecot-acl file exists or not. The dovecot-acl.lock file is created by not removed afterwards. Subsequent setacl commands will timeout waiting for the lock to be released until I delete it manually.
If I create the dovecot-acl file manually and provide access to another user, the getacl command will correctly show the permissions and the other user can access the folder. setacl will still fail to modify the acl file, however (same error).
Another thing that irritates me is that dovecot seems to use the dotlock locking method, although I explicitly set lock_method to fcntl (also tried flock, same behavior).
I'm not using chroot.
I appreciate any help to get this sorted out.
Thanks, Michael
Hi again,
On 22.10.2011 15:16, Michael Stilkerich wrote:
When I try to create an ACL in a telnet session, the command fails with an internal error. The log shows:
dovecot: imap(michael): Error: fstat(/home/dovecot/michael/.test/dovecot-acl.lock) failed: No such file or directory dovecot: imap(michael): Error: file_dotlock_open(/home/dovecot/michael/.test/dovecot-acl) failed: No such file or directory
I found that the problem seems to be the try_create_lock_hardlink() function, which is used to create the lock file. I don't now why it doesn't work, but if I modify the code of dotlock_create() to always use try_create_lock_excl() instead ignoring the setting of use_excl_lock in the dotlock_settings structure, it works just fine for me.
I noticed in the log that the issue not only occurs with the dovecot-acl files but with other files, too, namely the dovecot.index.log and my acl_shared_dict file.
Looking at the static dotlock_settings structure in the acl-file backend, I don't see how its use_excl_lock could possible be set to 1 by the configuration (i.e., it doesn't seem that the dotlock_use_excl configuration option is considered). For the maildirlock, an environment variable "DOTLOCK_USE_EXCL" is checked instead of the config setting. I'm not sure whether it is intentional that the hardlink variant is generally used in these cases.
-Michael
On Sat, 2011-10-22 at 15:16 +0200, Michael Stilkerich wrote:
dovecot: imap(michael): Error: fstat(/home/dovecot/michael/.test/dovecot-acl.lock) failed: No such file or directory
This is some weird filesystem? fstat() isn't supposed to ever fail with ENOENT.
Another thing that irritates me is that dovecot seems to use the dotlock locking method, although I explicitly set lock_method to fcntl (also tried flock, same behavior).
The lock_method setting only affects index files. There are several others that always use dotlocks, because they're rarely enough modified that the dotlock performance doesn't matter. That's also why I haven't bothered to set use_excl_lock for them.
On 04.11.2011 20:47, Timo Sirainen wrote:
dovecot: imap(michael): Error:
fstat(/home/dovecot/michael/.test/dovecot-acl.lock) failed: No such file or directory This is some weird filesystem? fstat() isn't supposed to ever fail with ENOENT.
Nope, plain ext3. I have these issues since upgrading to Ubuntu 11.10, which was a dovecot upgrade from 1.2.15 to 2.0.13. Currently I use a self-built 2.0.15 dovecot. I'm still getting errors once in a while for the dovecot.index.log file:
Nov 4 16:29:03 keira dovecot: imap(isa): Error: fcntl(unlock) locking failed for file /home/dovecot/isa/dovecot.index.log: No such file or directory Nov 4 16:29:03 keira dovecot: imap(isa): Error: fstat() failed with file /home/dovecot/isa/dovecot.index.log: No such file or directory
These errors occur regardless of the lock_method used.
And occasionally I also get errors like:
Nov 3 19:03:34 keira dovecot: imap(mikey): Error: Corrupted transaction log file /home/dovecot/mikey/dovecot.index.log seq 15: offset points outside file (32708 + 8 > 32708) (sync_offset=32800)
I believe the latter was recently reported by someone else on this list as well. The files are there, though I guess that dovecot recreates them when the errors occurs so I don't know what the situation was by the time the error occurred...
-Mike
On Fri, 2011-11-04 at 21:29 +0100, Michael Stilkerich wrote:
On 04.11.2011 20:47, Timo Sirainen wrote:
dovecot: imap(michael): Error:
fstat(/home/dovecot/michael/.test/dovecot-acl.lock) failed: No such file or directory This is some weird filesystem? fstat() isn't supposed to ever fail with ENOENT.
Nope, plain ext3. I have these issues since upgrading to Ubuntu 11.10, which was a dovecot upgrade from 1.2.15 to 2.0.13. Currently I use a self-built 2.0.15 dovecot. I'm still getting errors once in a while for the dovecot.index.log file:
Nov 4 16:29:03 keira dovecot: imap(isa): Error: fcntl(unlock) locking failed for file /home/dovecot/isa/dovecot.index.log: No such file or directory Nov 4 16:29:03 keira dovecot: imap(isa): Error: fstat() failed with file /home/dovecot/isa/dovecot.index.log: No such file or directory
These simply shouldn't happen. I'd say it's a kernel bug. You're running a default Ubuntu kernel? I wonder if other Ubuntu users have this problem.
And occasionally I also get errors like:
Nov 3 19:03:34 keira dovecot: imap(mikey): Error: Corrupted transaction log file /home/dovecot/mikey/dovecot.index.log seq 15: offset points outside file (32708 + 8 > 32708) (sync_offset=32800)
I believe the latter was recently reported by someone else on this list as well. The files are there, though I guess that dovecot recreates them when the errors occurs so I don't know what the situation was by the time the error occurred...
Try if you can reproduce these more easily with imaptest? http://imapwiki.org/ImapTest Be sure to run it against a test account since it trashes the whole mailbox.
Hi,
On Nov 4, 2011, at 10:39 PM, Timo Sirainen wrote:
Nov 4 16:29:03 keira dovecot: imap(isa): Error: fcntl(unlock) locking failed for file /home/dovecot/isa/dovecot.index.log: No such file or directory Nov 4 16:29:03 keira dovecot: imap(isa): Error: fstat() failed with file /home/dovecot/isa/dovecot.index.log: No such file or directory
These simply shouldn't happen. I'd say it's a kernel bug. You're running a default Ubuntu kernel? I wonder if other Ubuntu users have this problem.
It may be an apparmor issue. I noticed plenty of apparmor log entries on these accesses, though apparmor should only log but not disallow them. I have unloaded the dovecot apparmor profiles and not seen any of these errors since then.
I got a new issue, however: I migrated from Maildir to mdbox. Since then, my shared mailboxes don't fully work anymore.
I have given another user full rights to a shared mailbox (getacl returns akxeilprwtscd for that folder/user). The user sees the mailbox an can perform some operations including reading and deleting messages on it. If she tries to insert a new message, however, it fails and the error log shows:
dovecot: imap(isa): Error: fcntl(write-lock) locking failed for file /home/dovecot/michael/storage/dovecot.map.index.log: Bad file descriptor dovecot: imap(isa): Error: mail_index_wait_lock_fd() failed with file /home/dovecot/michael/storage/dovecot.map.index.log: Bad file descriptor
All my mail locations are owned by the respective system user and the mail group, and writeable by both. In particular, I checked that both the storage directory as well as the dovecot.map.index.log are writeable by the mail group.
The users are not regular members of the mail group, but my dovecot config contains
mail_access_groups = mail
Any idea how to resolve this issue?
-Mike
On Fri, 4 Nov 2011, Timo Sirainen wrote:
On Fri, 2011-11-04 at 21:29 +0100, Michael Stilkerich wrote:
Nov 4 16:29:03 keira dovecot: imap(isa): Error: fcntl(unlock) locking failed for file /home/dovecot/isa/dovecot.index.log: No such file or directory Nov 4 16:29:03 keira dovecot: imap(isa): Error: fstat() failed with file /home/dovecot/isa/dovecot.index.log: No such file or directory
These simply shouldn't happen. I'd say it's a kernel bug. You're running a default Ubuntu kernel? I wonder if other Ubuntu users have this problem.
I am seeing this same problem on Ubuntu 11.10 and 12.04 with stock kernels.
The problem is clearly AppArmor related. The imap process seems to be using the "usr.sbin.dovecot" profile which prevents access to these files. There is a separate profile "usr.lib.dovecot.imap" but it seems that it does not get applied to the imap process for some odd reason. This is especially strange beacuse both profiles are enabled in "complain" and not in "enforce" mode, thus they should not enforce any of the rules.
I am simultaneously getting messages similar to the following in my audit log:
type=AVC msg=audit(1335712674.515:655016): apparmor="ALLOWED" operation="getattr" parent=10922 profile="/usr/sbin/dovecot//null-107//null-10b//null-118" name="/home/foobar/Maildir/.foobar/dovecot.index.log" pid=10937 comm="imap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
After disabling the "usr.sbin.dovecot" profile everything seems fine. Other dovecot related AppArmor profiles do not seem to cause problems.
This looks like an issue in AppArmor to me...
-- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/
participants (3)
-
Janne Snabb
-
Michael Stilkerich
-
Timo Sirainen