Dovecot 2.3 - using doveadm as non-root?

Rob Hoelz rob at hoelz.ro
Thu Jan 4 02:58:36 EET 2018 

On Wed, 3 Jan 2018 13:37:07 -0500
Timo Sirainen <tss at iki.fi> wrote:

> On 3 Jan 2018, at 11.38, Rob Hoelz <rob+dovecot at hoelz.ro> wrote:
> > 
> > Hi dovecot developers and users,
> > 
> > I recently upgraded my server running Arch Linux to dovecot 2.3.0,
> > and I noticed some of my cron jobs started issuing me error
> > messages.  These cron jobs run as a non-root user associated with
> > my mail account, and they use doveadm to tidy things up (ex.
> > purging the trash, moving old mail in certain folders into the
> > trash).  The error message is:
> > 
> >> Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
> >> Permission denied
> > 
> > I assume this is doveadm trying to participate in the new 2.3 stats
> > process, and after reading the code a bit, I can't see way to tell
> > doveadm to not connect to the stats writer.  The socket is owned by
> > root with 600 permissions.
> > 
> > What would be the right way to remedy this?  AFAICT, I could
> > potentially run doveadm as root (which I would prefer to avoid), or
> > I could change the permissions on the stats writer socket, but I
> > would hate to introduce any sort of security vulnerability by doing
> > so.  I currently have a scrappy Perl script that just runs doveadm
> > and filters out the error message (it doesn't seem to affect the
> > behavior of doveadm other than the message), but that feels dirty
> > and I would prefer a cleaner solution.  Any advice?
> 
> I was wondering what to do about this while developing it. I think
> you can disable this by clearing out the socket path:
> 
> doveadm -o stats_writer_socket_path=
> 
> But .. I think the changing the socket permissions is the better
> solution. The new stats process should know about everything that is
> going on in the system, and these doveadm calls are part of that. So
> if they're excluded then the stats aren't exactly correct. The
> stats-writer can't do all that much harm other than messing up the
> statistics or probably crashing stats process by using up all of its
> memory.
> 

Thanks for the advice, Timo - I went ahead and applied the permission change to my dovecot config.  On a side note, thanks for dovecot in general - it's a great piece of software!

-Rob

More information about the dovecot mailing list