[Dovecot] started with dovecot sieve

Daniel Parthey daniel.parthey at informatik.tu-chemnitz.de
Tue Jun 26 23:10:36 EEST 2012


Rolf wrote:
> Am 2012-06-25 23:59, schrieb Daniel Parthey:
> >Hi Rolf,
> >
> >Rolf wrote:
> >>Jun 25 20:22:54 rolf14 dovecot: lda(rolf): Error: setegid(privileged) failed: Operation not permitted

Doesn't lda(rolf) mean it is being executed under user "rolf",
not root or dovecot?

How exactly do you invoke lda from your /etc/postfix/master.cf?

You might also try to use LMTP via TCP to deliver mails
from postfix to dovecot to work around any permission problems.

> I have installed dovecot and docecot-sieve by Debians aptitude

You don't seem to be the only one with these problems, see Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626130

> As far as I understand the "ps -f ax" output (see
> below) dovecot runs with root privileges and postfix runs with its
> own user privileges.
>
> root     20998     1  0 Jun25 ?        Ss     0:03 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf

Well, the master process often runs as root, but child processes
like lda may be configured to run as an unprivileged, or even
as the user which owns the mailbox.

> The mbox files below /var/mail are owned by
> their respective users and have "mail" as their group, both can
> write, world can do nothing. I added every related system user to
> the mail group, also restarted postfix and dovecot.

> root at rolf14:/var/mail# more /etc/group | grep mail: mail:x:8:amavis,dovecot,clamav,postfix

User "rolf" is not a member of group "mail", but I don't think he needs
to be, otherwise he would be able to read the mails of all users on the
system and this would be a security risk.

> As I understand it, postfix activates the lda "deliver" as user
> "postfix". Therefore it should be able to write to the mboxes at
> /var/mail. If needed dovecot can write there as well.

The lda should rather switch to the owner of the respective INBOX,
e.g. /var/mail/rolf. Log message "lda(rolf)" looks like this happens.

To summarize, I think LMTP will be the easiest way to fix
the permission problems. Otherwise you would need to fiddle out
how to prevent dovecot lda from switching to group additional
group "mail", since unprivileged user "rolf" is not allowed to do that.

Regards,
Daniel
-- 
https://plus.google.com/103021802792276734820



More information about the dovecot mailing list