[Dovecot] Occasional fchown errors?

David Ford david at blue-labs.org
Wed Nov 10 20:48:13 EET 2010


Use this patch, it fixes dovecot's ownership inheritance assumptions.

Colt ~ # cat
/usr/local/portage/net-mail/dovecot/files/dovecot-2.0.5-bad-permissions-inheritance.patch

--- src/lib-storage/mailbox-list.c.orig 2010-09-14 11:03:18.000000000 -0400
+++ src/lib-storage/mailbox-list.c      2010-10-14 15:20:15.000000000 -0400
@@ -25,6 +25,9 @@
 #include <unistd.h>
 #include <dirent.h>
 #include <sys/stat.h>
+#include <stdlib.h>
+#include <grp.h>
+#include <pwd.h>
 
 /* 20 * (200+1) < 4096 which is the standard PATH_MAX. Having these
settings
    prevents malicious user from creating eg. "a/a/a/.../a" mailbox name and
@@ -450,7 +453,7 @@
                }
 
                if (S_ISDIR(st.st_mode) && (st.st_mode & S_ISGID) != 0) {
-                       /* directory's GID is used automatically for new
+                       /* directory is sgid, so GID is used
automatically for new
                           files */
                        *gid_r = (gid_t)-1;
                } else if ((st.st_mode & 0070) >> 3 == (st.st_mode &
0007)) {
@@ -460,8 +463,39 @@
                } else if (getegid() == st.st_gid) {
                        /* using our own gid, no need to change it */
                        *gid_r = (gid_t)-1;
-               } else {
-                       *gid_r = st.st_gid;
+               }
+
+               else {
+                       /* test for unusable inheritance. logic sets
fgid_me to st.gid
+                          for unlikely case of lookup failure and we
just fall through */
+                       int j, ngroups = 999;
+                       gid_t *groups;
+                       gid_t fgid_me = st.st_gid;
+
+                       groups = malloc(ngroups * sizeof (gid_t));
+                       if (groups != NULL) {
+                               uid_t egid = getegid();
+                               struct passwd *pw = getpwuid(geteuid());
+                               if (pw != NULL) {
+                                       /* get pw entry for test using
my current effective uid */
+                                       if (getgrouplist(pw->pw_name,
egid, groups, &ngroups) != -1) {
+                                               /* get list of group IDs
my euid belongs to, ngroups
+                                                  will be set to the
number of groups I belong to */
+                                               fgid_me = egid;
+                                               for (j = 0; j < ngroups;
j++) {
+                                                       /* enumerate
list, test to see if i belong
+                                                          to gid of
parent directory */
+                                                       if (st.st_gid ==
groups[j]) {
+                                                               /* if
so, switch to parent gid */
+                                                               fgid_me
= st.st_gid;
+                                                       }
+                                               }
+                                       }
+                               }
+                               free(groups);
+                       }
+
+                       *gid_r = fgid_me;
                }
        }



On 11/10/2010 01:34 PM, Knute Johnson wrote:
> Hi:
>
> I get the occasional error below.  Is there something I don't have
> configured correctly?  Or should I just ignore this?  It is not always
> this file, sometimes it is the cache.lock file or the log.newlock
> file.  I have a mail client running on my computer and my phone at the
> same time, could that have something to do with it?
>
> Nov 10 08:32:59 rabbitbrush dovecot: IMAP(bob):
> fchown(/home/bob/mail/.imap/INBOX/dovecot.index.tmp, -1, 8(mail))
> failed: Operation not permitted (egid=1000(bob), group based on
> /var/mail/bob)
>
> From dovecot -n
>
> # 1.2.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-25-generic i686 Ubuntu 10.04.1 LTS
> log_timestamp: %Y-%m-%d %H:%M:%S
> protocols: imaps
> ssl_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
> ssl_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
> login_dir: /var/run/dovecot/login
> login_executable: /usr/lib/dovecot/imap-login
> mail_privileged_group: mail
> mail_location: mbox:~/mail:INBOX=/var/mail/%u
> mbox_write_locks: fcntl dotlock
> auth default:
>   passdb:
>     driver: pam
>   userdb:
>     driver: passwd
>
> Thanks very much,
>


More information about the dovecot mailing list