imap userdb Fatal setuid errors

Steven Smith steve.t.smith at gmail.com
Tue May 28 07:40:25 EEST 2019 

Thank you very much! I followed your advice, upgraded to the latest release, and see that this issue is fixed. The new dovecot server is running perfectly.

Steve

> On May 27, 2019, at 00:37, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
> 
> 
>> On 24 May 2019 17:11 Steven Smith via dovecot <dovecot at dovecot.org> wrote:
>> 
>> 
>> I’m trying to configure dovecot lmtp in multi-user mode. My error logs are filled with messages saying that an imap process cannot do a setuid to another user:
>> 
>>> May 21 22:28:46 imap(pid 17441 user myuser): Fatal: setuid(512(myuser) from userdb lookup) failed with euid=501(adminuser): Operation not permitted (This binary should probably be called with process user set to 512(myuser) instead of 501(adminuser))
>> 
>> I see that others have had similar issues, but I am not able to apply any of the fixes or workarounds to solve this issue (e.g. setting libexec/dovecot/imap as setuid-root). I’ve also tried other fixes like setting the permissions to 0777 on the userdb auth for postfix smtpd.
>> 
>> According to the code (restrict-access.c, linked below), it appears that when a user authenticates, an imap worker process is launched that has the bid of the authenticator. When another user authenticates, this last process is used, but it does not have the permissions to perform a setuid to the new user, resulting in the Fatal error that appears in the logs.
>> 
>> Is this a bug, or a configuration issue? I’ve posted my doveconf below.
>> 
>> Any pointers would be greatly appreciated.
>> 
>> Steve
>> 
> 
> service imap {
>  client_limit = 16
>  process_limit = 200
>  process_min_avail = 6
>  service_count = 0
> } 
> 
> This causes the imap process to be reused, but it cannot change it's personality anymore. Also we *do not* recommend this configuration at all. You are putting multiple connections inside an single-threaded binary which can become "stuck" for other users when single user performs long-lasting operations.
> 
> Try this:
> 
> service imap {
>  process_limit = 200
>  process_min_avail = 6
> } 
> 
> Aki

More information about the dovecot mailing list