doveadm/doveconf as user tries and fails to read host key
Arjen de Korte
build+dovecot at de-korte.org
Mon Aug 24 07:59:57 EEST 2020
Citeren jimc <jimc at jfcarter.net>:
> Distro: OpenSuSE Tumbleweed for x86_64
> Failing version: dovecot23-18.104.22.168-1.1.x86_64 Install Date: 2020-08-18
> Reverting to previous version works: dovecot23-22.214.171.124-2.3.x86_64
> (Packages downgraded coordinately: dovecot23 dovecot23-backend-sqlite)
> How to make it fail: As the user, execute
> doveadm expunge mailbox Spam37 savedbefore 3day #User's actual cmd
> doveadm who #The simplest possible command, for testing
> It says:
> doveconf: Fatal: Error in configuration file
> /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert:
> Can't open file /etc/ssl/hostcerts/hostw.cia: Permission denied
This was mentioned before on this list. See
https://dovecot.org/pipermail/dovecot/2020-August/119650.html how to
> The actual EPERM occurs trying to traverse a directory in /etc/letsencrypt,
> but the next configuration item to be read (in the SSL section) is the
> host's private key, and the user is surely not ever going to get
> permission to read that. (I did test giving the user permission to the
> 750 directory and it did attempt to read the private key, failing.)
> If you run it as root, of course it works because root has read permission.
> The initial failure was seen running as the user from cron.
> Behavior seen in strace: doveadm execs doveconf; doveconf reads the
> configuration and saves it somewhere (shared memory?); doveconf execs
> the next program which in this case is doveadm with its original command
> line; and doveadm now knows its configuration. I can re-do and post
> the strace if needed.
> I don't know why doveconf is reading the SSL keys in 126.96.36.199 when it
> didn't in 188.8.131.52, but if the idea is to read the complete
> configuration in case it might be needed in obscure situations, a
> possible workaround is to not die on unreadable secrets and to report
> those either as unset or as a new "error" symbol, letting the consumer
> (doveadm) deal with the fallout, or in this case ignore it.
> Attached: sysreport.gz ; doveconf-n.out
> Dovecot's working files and user mailboxes are on ext4 filesystems; NFS
> is not involved.
> The mail reader is Roundcube webmail.
More information about the dovecot