[Dovecot] Can't drop root group privileges

Jackie Hunt jackie at yuma.acns.colostate.edu
Fri Dec 1 18:35:02 UTC 2006 

Found what was causing the problem!  

In the file src/lib/restrict-access.c, in the restrict_access_by_env
routine the code is in place to change to the login user's group and
uid.  After this, a check is done to see verify gid and egid are not 0 
and [this is the gotcha] that gid can not be set to 0.

     if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {  
                    if (gid == 0)
                          i_fatal("GID 0 isn't permitted");
                    i_fatal("We couldn't drop root group privileges "
                          "(wanted=%s, gid=%s, egid=%s)", dec2str(gid),
                          dec2str(getgid()), dec2str(getegid()));
     }

In our environment, some users are part of group 0 (system group),
in addition to their primary group, so this operation is successful, 
and thus we see the error about not being about to drop root group 
privileges.

My solution is to change the first if statement to:

     if (getgid() == 0 || getegid() == 0) {

since the setgid test is too restrictive for our environment.

Comments/suggestions/analysis welcome.  Glad to know what is 
finally happening!

Jackie

> 
> An update on my problem dropping root group privileges.  I
> discovered this is a problem for a user if they are in the
> system group (gid 0).  If I remove the user from the system
> group, and leave them in their primary group, I don't see 
> the error.
> 
> I've tried setting first_valid_gid to something like 4, hoping
> dovecot would filter out gid 0, but that doesn't work.
> 
> Still searching for an answer...
> 
> Jackie
> 
> > 
> > Hi all,
> > 
> > I need your insight.  I've been testing Dovecot on an AIX 5.2
> > system.  Compiled and running fine.  We have some users on an
> > AIX 5.1 system, so I'm working on installing it there, so we
> > can do further testing.
> > 
> > I'm using Dovecot 1.0 RC15 with OpenSSL 9.0.7e, configured to use 
> > port 10143 (imap) and 10993 (imaps).  The error I'm seeing in the log is:
> > 
> > dovecot: Nov 28 09:23:54 Info: imap-login: Login: user=<jackie>, method=PLAIN, r
> > ip=xx.x.xxx.xxx, lip=xxx.xx.xxx.xx, TLS
> > dovecot: Nov 28 09:23:54 Error: IMAP(jackie): We couldn't drop root group privil
> > eges (wanted=200, gid=200, egid=0)
> > dovecot: Nov 28 09:23:54 Error: child 860274 (imap) returned error 89
> > 
> > I've seen this error reported on the list, with the suggested resolution
> > being to set the first_valid_gid = 0 in dovecot.conf.  I've tried that,
> > and nothing changes.
> > 
> > Any help would be greatly appreciated!
> > 
> > Jackie
> > ---
> > Jackie Hunt                                                       
> > ACNS                                    Voice:  (970) 663-3789     
> > Colorado State University               FAX:    (970) 491-1958
> > Fort Collins, CO  80523                 Email:  jackie.hunt at colostate.edu
> > 
> 
> Jackie Hunt                                                       
> ACNS                                    Voice:  (970) 663-3789     
> Colorado State University               FAX:    (970) 491-1958
> Fort Collins, CO  80523                 Email:  jackie.hunt at colostate.edu
> 
> 

Jackie Hunt                                                       
ACNS                                    Voice:  (970) 663-3789     
Colorado State University               FAX:    (970) 491-1958
Fort Collins, CO  80523                 Email:  jackie.hunt at colostate.edu

More information about the dovecot mailing list