[Dovecot] ACLs, imap and launchd

Axel Luttgens AxelLuttgens at swing.be
Fri Jun 26 11:33:39 EEST 2009 

I was going to experiment with ACLs when I faced a small problem.
It is just sufficient to enable the acl plugin for getting the  
behavior described hereafter.

When launching dovecot from the command line, one gets:

	sh-3.2# /usr/local/dovecot/sbin/dovecot -F
	ILoading modules from directory: /usr/local/dovecot-1.2.rc6/lib/ 
dovecot/imap
	IModule loaded: /usr/local/dovecot-1.2.rc6/lib/dovecot/imap/ 
lib01_acl_plugin.so
	IEffective uid=65534, gid=65534, home=/tmp
	Iacl: No acl setting - ACLs are disabled
	^C

In fact, a "dummy" imap process is run so as to fetch the capability  
(see master-settings.c); that process is run with an hardcoded uid/gid  
65534.
But this appears to be problematic when dovecot is started from  
launchd; clearly, launchd doesn't like arbitrary users, as it may be  
seen from system.log:

	org.dovecot[28382]: ^AILoading modules from directory: /usr/local/ 
dovecot-1.2.rc6/lib/dovecot/imap
	org.dovecot[28382]: ^AIModule loaded: /usr/local/dovecot-1.2.rc6/lib/ 
dovecot/imap/lib01_acl_plugin.so
	com.apple.launchd[1] (com.apple.launchd.peruser.65534[28384]):  
getpwuid("65534") failed
	com.apple.launchd[1] (com.apple.launchd.peruser.65534[28384]): PID  
28383 "imap" has no account to back it! Real/effective/saved UIDs:  
65534/65534/65534
	com.apple.launchd[1] (com.apple.launchd.peruser.65534[28384]): Exited  
with exit code: 1
	com.apple.launchd[1] (com.apple.launchd.peruser.65534): Throttling  
respawn: Will start in 10 seconds
	com.apple.launchd[1] (org.dovecot[28382]): Stray process with PGID  
equal to this dead job: PID 28383 PPID 1 imap
	com.apple.launchd[1] (org.dovecot[28382]): Exited abnormally: Alarm  
clock
	com.apple.launchd[1] (org.dovecot): Throttling respawn: Will start in  
5 seconds
	com.apple.launchd[1] (com.apple.launchd.peruser.65534[28386]):  
getpwuid("65534") failed
	com.apple.launchd[1] (com.apple.launchd.peruser.65534[28386]): Exited  
with exit code: 1
	com.apple.launchd[1] (com.apple.launchd.peruser.65534): Throttling  
respawn: Will start in 10 seconds
	... and so on ...

A workaround is to create the corresponding system user and group;  
launchd then doesn't complain anymore and everything seems to be  
working fine.

But I feel somewhat uncomfortable with that...
Wouldn't it be possible, for example, to consider using a system user  
such as "nobody" (unless I'm wrong, it should be defined on any unix  
flavor)?

TIA,
Axel


sh-3.2# /usr/local/dovecot/sbin/dovecot -n
# 1.2.rc6: /usr/local/etc/dovecot.conf
# OS: Darwin 9.7.0 i386
protocols: pop3 imap
ssl: no
disable_plaintext_auth: no
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ 
imap-login
login_executable(imap): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ 
imap-login
login_executable(pop3): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ 
pop3-login
first_valid_uid: 2001
last_valid_uid: 65533
mail_location: mbox:~/_mailboxes:INBOX=~/_mailboxes/inbox
mail_debug: yes
mbox_read_locks: flock
mbox_write_locks: flock dotlock
mail_executable(default): /usr/local/dovecot-1.2.rc6/libexec/dovecot/ 
imap
mail_executable(imap): /usr/local/dovecot-1.2.rc6/libexec/dovecot/imap
mail_executable(pop3): /usr/local/dovecot-1.2.rc6/libexec/dovecot/pop3
mail_plugins(default): acl
mail_plugins(imap): acl
mail_plugins(pop3):
mail_plugin_dir(default): /usr/local/dovecot-1.2.rc6/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/dovecot-1.2.rc6/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/dovecot-1.2.rc6/lib/dovecot/pop3
pop3_lock_session(default): no
pop3_lock_session(imap): no
pop3_lock_session(pop3): yes
pop3_uidl_format(default): %08Xu%08Xv
pop3_uidl_format(imap): %08Xu%08Xv
pop3_uidl_format(pop3): %08Xv%08Xu
auth default:
   debug: yes
   passdb:
     driver: pam
     args: *
   userdb:
     driver: passwd

More information about the dovecot mailing list