[Dovecot] 1.2.3 - fchown failed messages
Hello,
I installed 1.2.3 and we are seeing a few messages in the log files such as:
Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.log.newlock: Operation not permitted Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.tmp: Operation not permitted
dovecot -n: # 1.2.3: /usr/local/etc/dovecot.conf # OS: Linux 2.6.20.1 i686 CentOS release 4.7 (Final) protocols: imap imaps pop3 pop3s ssl_ca_file: /usr/local/apache/conf/ssl.crt/gd_intermediate_bundle.crt ssl_cert_file: /usr/local/apache/conf/ssl.crt/xyz.com.cert ssl_key_file: /usr/local/apache/conf/ssl.key/xyz.com.key ssl_cipher_list: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!ADH:!LOW disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login mail_max_userip_connections(default): 25 mail_max_userip_connections(imap): 25 mail_max_userip_connections(pop3): 10 mail_privileged_group: mail mail_location: mbox:~/:INBOX=/var/spool/mail/%u mail_full_filesystem_access: yes mmap_disable: yes fsync_disable: yes mbox_read_locks: fcntl flock mbox_write_locks: fcntl flock mbox_very_dirty_syncs: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_process_size: 512 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_uidl_format(default): %08Xu%08Xv pop3_uidl_format(imap): %08Xu%08Xv pop3_uidl_format(pop3): %08Xv%08Xu pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh lda: postmaster_address: postmaster@example.com auth default: mechanisms: plain login username_format: %Lu verbose: yes passdb: driver: shadow userdb: driver: passwd
Permissions look fine in the home directory john, including all sub-directories. Thanks for letting me know of anything to check/change.
Rob
On Tue, 2009-08-04 at 16:46 -0400, Rob Mangiafico wrote:
Hello,
I installed 1.2.3 and we are seeing a few messages in the log files such as:
Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.log.newlock: Operation not permitted Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.tmp: Operation not permitted
This patch should give you a bit better error message that would explain the reason: http://hg.dovecot.org/dovecot-1.2/rev/8ea90a23ed74
On Tue, 4 Aug 2009, Timo Sirainen wrote:
On Tue, 2009-08-04 at 16:46 -0400, Rob Mangiafico wrote:
Hello,
I installed 1.2.3 and we are seeing a few messages in the log files such as:
Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.log.newlock: Operation not permitted Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.tmp: Operation not permitted
This patch should give you a bit better error message that would explain the reason: http://hg.dovecot.org/dovecot-1.2/rev/8ea90a23ed74
Thanks. We've applied the patch and will email back if it continues to happen or we have any questions.
Rob
On Tue, 4 Aug 2009, Timo Sirainen wrote:
On Tue, 2009-08-04 at 16:46 -0400, Rob Mangiafico wrote:
Hello,
I installed 1.2.3 and we are seeing a few messages in the log files such as:
Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.log.newlock: Operation not permitted Aug 4 16:40:24 xyz dovecot: IMAP(john): fchown() failed with file /home/john/.imap/INBOX/dovecot.index.tmp: Operation not permitted
This patch should give you a bit better error message that would explain the reason: http://hg.dovecot.org/dovecot-1.2/rev/8ea90a23ed74
The log file now shows:
Aug 4 19:10:10 rezclick dovecot: IMAP(john): fchown(/home/john/.imap/INBOX/dovecot.index.tmp, -1, 12(mail)) failed: Operation not permitted (egid=509(johngrp), group based on /var/spool/mail/john)
/var/spool/mail/john has a group of "mail", whereas the home directory has their own "group". In 1.1.x we did not get these errors. Is this a fix in 1.2? I assume we have to make the group match from their home dir and /var/spool/mail to get rid of the error? Any downside to allowing this error to continue? Thanks.
Rob
On Tue, 2009-08-04 at 19:31 -0400, Rob Mangiafico wrote:
Aug 4 19:10:10 rezclick dovecot: IMAP(john): fchown(/home/john/.imap/INBOX/dovecot.index.tmp, -1, 12(mail)) failed: Operation not permitted (egid=509(johngrp), group based on /var/spool/mail/john)
/var/spool/mail/john has a group of "mail", whereas the home directory has their own "group". In 1.1.x we did not get these errors. Is this a fix in 1.2? I assume we have to make the group match from their home dir and /var/spool/mail to get rid of the error? Any downside to allowing this error to continue? Thanks.
What permissions does /var/spool/mail/john have? I guess mail group has read permissions? Just removing that should fix the error.
On Tue, 4 Aug 2009, Timo Sirainen wrote:
On Tue, 2009-08-04 at 19:31 -0400, Rob Mangiafico wrote:
Aug 4 19:10:10 rezclick dovecot: IMAP(john): fchown(/home/john/.imap/INBOX/dovecot.index.tmp, -1, 12(mail)) failed: Operation not permitted (egid=509(johngrp), group based on /var/spool/mail/john)
/var/spool/mail/john has a group of "mail", whereas the home directory has their own "group". In 1.1.x we did not get these errors. Is this a fix in 1.2? I assume we have to make the group match from their home dir and /var/spool/mail to get rid of the error? Any downside to allowing this error to continue? Thanks.
What permissions does /var/spool/mail/john have? I guess mail group has read permissions? Just removing that should fix the error.
-rw-rw---- 1 john mail 5676767 Aug 4 19:50 /var/spool/mail/john
Those are the default permissions that sendmail uses I believe. Not sure if removing "mail" group r/w would have any other impact for sendmail/procmail? Thanks for taking the time to help.
Rob
On Tue, 2009-08-04 at 19:53 -0400, Rob Mangiafico wrote:
What permissions does /var/spool/mail/john have? I guess mail group has read permissions? Just removing that should fix the error.
-rw-rw---- 1 john mail 5676767 Aug 4 19:50 /var/spool/mail/john
Those are the default permissions that sendmail uses I believe. Not sure if removing "mail" group r/w would have any other impact for sendmail/procmail? Thanks for taking the time to help.
It depends on your setup, but usually mail group shouldn't need read or write access to users' mails. Seems like a security risk to me in any case.
On Tue, 4 Aug 2009, Timo Sirainen wrote:
On Tue, 2009-08-04 at 19:53 -0400, Rob Mangiafico wrote:
What permissions does /var/spool/mail/john have? I guess mail group has read permissions? Just removing that should fix the error.
-rw-rw---- 1 john mail 5676767 Aug 4 19:50 /var/spool/mail/john
Those are the default permissions that sendmail uses I believe. Not sure if removing "mail" group r/w would have any other impact for sendmail/procmail? Thanks for taking the time to help.
It depends on your setup, but usually mail group shouldn't need read or write access to users' mails. Seems like a security risk to me in any case.
I agree. I removed the "rw" for the mail group for individual mbox mailboxes and no adverse effects from what I can tell. Thanks.
Rob
Hi,
On Tue, Aug 04, 2009 at 08:00:42PM -0400, Timo Sirainen wrote:
On Tue, 2009-08-04 at 19:53 -0400, Rob Mangiafico wrote:
What permissions does /var/spool/mail/john have? I guess mail group has read permissions? Just removing that should fix the error.
-rw-rw---- 1 john mail 5676767 Aug 4 19:50 /var/spool/mail/john
Those are the default permissions that sendmail uses I believe. Not sure if removing "mail" group r/w would have any other impact for sendmail/procmail? Thanks for taking the time to help.
It depends on your setup, but usually mail group shouldn't need read or write access to users' mails. Seems like a security risk to me in any case.
I think that's the standard setup on Red Hat/CentOS/Fedora boxes. User mboxes are by default owned by <user>:mail with 0660, while the spooldir is owned root:mail with 0775
# useradd abc123 # ls -ltrAd /var/spool/mail{,/abc123} -rw-rw---- 1 abc123 mail 0 2009-08-06 19:44 /var/spool/mail/abc123 drwxrwxr-x. 2 root mail 4096 2009-08-06 19:44 /var/spool/mail
Axel.Thimm at ATrpms.net
participants (3)
-
Axel Thimm
-
Rob Mangiafico
-
Timo Sirainen