Dovecot 2.3 - using doveadm as non-root?
Rob Hoelz
rob at hoelz.ro
Thu Jan 4 02:58:36 EET 2018
On Wed, 3 Jan 2018 13:37:07 -0500
Timo Sirainen <tss at iki.fi> wrote:
> On 3 Jan 2018, at 11.38, Rob Hoelz <rob+dovecot at hoelz.ro> wrote:
> >
> > Hi dovecot developers and users,
> >
> > I recently upgraded my server running Arch Linux to dovecot 2.3.0,
> > and I noticed some of my cron jobs started issuing me error
> > messages. These cron jobs run as a non-root user associated with
> > my mail account, and they use doveadm to tidy things up (ex.
> > purging the trash, moving old mail in certain folders into the
> > trash). The error message is:
> >
> >> Error: net_connect_unix(/var/run/dovecot/stats-writer) failed:
> >> Permission denied
> >
> > I assume this is doveadm trying to participate in the new 2.3 stats
> > process, and after reading the code a bit, I can't see way to tell
> > doveadm to not connect to the stats writer. The socket is owned by
> > root with 600 permissions.
> >
> > What would be the right way to remedy this? AFAICT, I could
> > potentially run doveadm as root (which I would prefer to avoid), or
> > I could change the permissions on the stats writer socket, but I
> > would hate to introduce any sort of security vulnerability by doing
> > so. I currently have a scrappy Perl script that just runs doveadm
> > and filters out the error message (it doesn't seem to affect the
> > behavior of doveadm other than the message), but that feels dirty
> > and I would prefer a cleaner solution. Any advice?
>
> I was wondering what to do about this while developing it. I think
> you can disable this by clearing out the socket path:
>
> doveadm -o stats_writer_socket_path=
>
> But .. I think the changing the socket permissions is the better
> solution. The new stats process should know about everything that is
> going on in the system, and these doveadm calls are part of that. So
> if they're excluded then the stats aren't exactly correct. The
> stats-writer can't do all that much harm other than messing up the
> statistics or probably crashing stats process by using up all of its
> memory.
>
Thanks for the advice, Timo - I went ahead and applied the permission change to my dovecot config. On a side note, thanks for dovecot in general - it's a great piece of software!
-Rob
More information about the dovecot
mailing list