dovecot cannot drop privileges inside singularity container

Wed Jan 15 15:26:55 EET 2020

Hi,

thank you for your response.

seems that singularity does not limit capabilities in containers running
as root. the capabilities are the same inside and outside of the container.

the only difference is that inside the container the securebit
SECURE_NO_SETUID_FIXUP is set and locked
if this is the reason, perhaps I should find a way to change this
securebit setting in singularity

thanks
nzasch

On 02/01/20 13:11, Marc Roos wrote:
> 
> Have you tried setting linux capabilities, like 
> NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the 
> permissions of paths? I had to relocate the run dir with things like 
> these
> 
>     && mkdir /var/dovecot \
>     && mkdir /var/lib/dovecot \
>     && (umask 027 ; mkdir /var/dovecot/login) \
>     && (umask 022 ; mkdir /var/dovecot/empty) \
>     && (umask 027 ; mkdir /var/dovecot/token-login)
> 
> 
> 
>  
> 
> -----Original Message-----
> From: cesco [mailto:cesco at esiliati.org] 
> Sent: 30 December 2019 18:32
> To: dovecot at dovecot.org
> Subject: dovecot cannot drop privileges inside singularity container
> 
> Hi all
> 
> I'm facing an issue while running dovecot inside a singularity
> (https://sylabs.io/singularity/) container
> 
> dovecot version is 2.3.4.1 (configuration below) running on debian 
> buster, inside a container made with singularity version 3.4.2
> 
> unfortunately, when I try to start dovecot, it gives:
> Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode 
> dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, 
> lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38 
> testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30 
> 17:23:38 testnode dovecot: master: Error: service(anvil): command 
> startup failed, throttling for 2 secs
> 
> the same happens on singularity containers based on debian bullseye or 
> alpine linux 3.9.2
> 
> many thanks!
> nzasch
> 
> Singularity test.sif:~> doveconf -n
> # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 
> 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname: 
> testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u 
> mail_privileged_group = mail managesieve_notify_capability = mailto 
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   driver = pam
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = " imap lmtp sieve pop3 submission"
> ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = 
> /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, 
> use -P to show it userdb {
>   driver = passwd
> }
> 
> 