[Dovecot] auth-master: Permission denied [sigh]

Tue Apr 14 20:22:52 EEST 2009

> On Mon, 2009-04-13 at 15:48 -0700, James Butler wrote:
>> 1) User 'spam:dovecot' runs Smapassassin
>> 2) Hands off to deliver (root:dovecot)
>
> Have you set up some kind of setuid-root deliver, or why is it running
> as root:dovecot here instead of spam:dovecot?

I have no idea how it is running, except for these clues:

1) Deliver is owned by root:dovecot

2) When Spamassassin executes and then its output gets piped to Deliver
WITHOUT a '-d ${user}' parameter, mail gets delivered to 'spam'

So it seems like Spamassassin IS running as user 'spam:dovecot'.

Then it hands off to Deliver which starts out as being owned by
root:dovecot. The runtime parameters instruct Deliver to switch from its
default ownership to 'user1:dovecot', AFAICT.

>> 3) Deliver assumes 'user1:dovecot' identity
>> 4) Can't access auth-master in 'root:dovecot' directory (777)
>
> 4) happens before 3).

But my error (4) is labeled with:

deliver(user1):

Does that not indicate that Deliver has switched from its default
ownership to run as 'user1', per the runtime parameters, and then been
denied access to auth-master?

>> So it's 'auth-master' that is (a) not available to 'user1' AND (b) not
>> available to group 'dovecot'. Huh? Why not?
>
> My guess is that deliver isn't really started with dovecot group
> permission.

My settings in Postfix's master.cf instruct:

/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}

If: ${user} = user1:dovecot

Then isn't deliver being executed as user1:dovecot?

And would I really need to put ALL of my users into the same (dovecot)
group just to be able to get mail to them? That would make little sense to
me, as the whole point of using groups would be eliminated.

Obviously I have a lot of confusion about who is running what when, and
why auth-master is not allowing access to itself.

The only thing I know for sure is that when I use the '-d ${user}'
parameter in master.cf, the ${user} has no permission to access/execute
auth-master, regardless of '/var/run/dovecot' directory permissions.

If I omit that parameter, and let Deliver keep running as user 'spam',
mail gets delivered (to 'spam').

If I omit the whole Smapassassin loop and go straight to Deliver, mail
gets delivered (to ${user}).

It is only when I try to switch from 'spam' to '${user}' that I have this
problem.

Here's my Deliver ownership/perms, again:

-rwxr-xr-x 1 root dovecot 4044835 2009-04-03 13:52 deliver

Shouldn't there be an 's' in there, somewhere?
Should I be looking at some other executable, like dovecot-auth?

Thank you for your help.

James