doveadm search -A problem with dropped privileges
Hello,
if you want to answer to this mail, please send it directly to me.
I have found a big issue with the following command "doveadm -search -A". It whatsoever works by setting doveadm_worker_count = 0 in the dovecot.conf configuration file.
The problem is that doveadm-server or something similar uses privileges of "nobody" and so it fails searching e-mails. Instead also the process tries to create a maildir for "nobody":
Debug: Namespace : /var/mail/nobody doesn't exist yet, using default permissions Debug: Namespace : Using permissions from /var/mail/nobody: mode=0700 gid=default Error: User initialization failed: Namespace '': mkdir(/var/mail/nobody) failed: Permission denied (euid=65534(nobody) egid=65534(nobody) missing +w perm: /var/mail, we're not in group 12(mail), dir owned by 0:12 mode=0775) Error: search: User init failed Error: userdb lookup: connect(/var/run/dovecot//auth-userdb) failed: Permission denied (euid=65534(nobody) egid=65534(nobody) missing +r perm: /var/run/dovecot//auth-userdb, we're not in group 12(mail), dir owned by 0:0 mode=0755) Error: search: User lookup failed: Internal error occurred. Refer to server log for more information.
Even after setting permissions, so that the process can create a maildir for "nobody" in the /var/mail location, it fails to "setresgid" to the particular user to be scanned.
It can´t work because it is not possible to gain other user privileges from another user.
# 2.2.16: /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.7 # OS: Linux Gentoo Base System release 2.2
auth_cache_negative_ttl = xx mins auth_cache_size = xx M auth_cache_ttl = xx mins auth_mechanisms = xx xx auth_worker_max_count = xx base_dir = /var/run/dovecot/ default_process_limit = xx dict { expire = sqlite:/xx } doveadm_worker_count = 1 first_valid_gid = xx first_valid_uid = xx login_greeting = xx.xx mail_location = maildir:/xx/xx/%u mail_privileged_group = xx managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate
passdb { args = scheme=SHA512 /xx/xx/xx.xx driver = passwd-file }
plugin { expire = xx expire2 = xx expire_dict = proxy::expire sieve = ~/.xx.xx sieve_dir = ~/.xx } protocols = imap sieve service auth { unix_listener auth-client { group = xx mode = 0660 } unix_listener auth-userdb { group = xx mode = 0660 } } service dict { unix_listener dict { mode = 0666 } } service imap-login { inet_listener imap { port = 0 } process_limit = 6 service_count = 1 } ssl_cert = </xx/xx/xx/xx.xx.xx ssl_key = </xx/xx/xx/xx.xx.xx ssl_parameters_regenerate = xx days userdb { driver = passwd } protocol lda { mail_plugins = sieve expire } protocol imap { imap_idle_notify_interval = xx mins mail_max_userip_connections = xx mail_plugins = expire }
Regards
Sebastian Kricner
-- http://tuxwave.net -- the difference to think makes it real!
participants (1)
-
Sebastian Kricner