Feb 03 13:27:19 aggregator: Fatal: chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted

Aki Tuomi aki.tuomi at open-xchange.com
Fri Feb 5 07:50:28 EET 2021 

Uh, no. RESTRICT_ACCESS_FLAG_ALLOW_ROOT *allows* running as root, it does not *force* running as root.

The problem here is that dovecot thinks it's able to do chroot when gid = 0 and thus attempts to chroot.

To avoid this, you could do

service aggregator {
  chroot = 
}

so aggregator process won't try to chroot itself.

Aki

> On 05/02/2021 00:05 js at faudin.de wrote:
> 
>  
> Found the reason. As always permission issues are permission issues.
> In this case, I had dovecot run in a docker container as uid:vmail, gid:root in order to prepare that for an openShift port (which seems to require the gid 0).
> But, RESTRICT_ACCESS_FLAG_ALLOW_ROOT seems to force the aggregator run as root when gid=0. But, getting root is not possible in this docker installation.
> After running dovecot as vmail:vmail (1001:1001), the replication started.
> 
> It will be interesting to see the kubernetes/openshift implications. 
> Best wishes!
> 
> 3. Februar 2021 13:45, "Jörg Faudin Schulz" <js at faudin.de> schrieb:
> 
> > I'm trying to set up dsync replication.
> > 
> > This seems to work partial - complete replica does work (delete the
> > mailboxes on target, and they'll get filled again).
> > 
> > But, changes don't seem to get populated on the replica server; I get
> > the msg
> > 
> > Feb 03 13:27:19 aggregator: Fatal:
> > chroot(/var/lib/dovecot/run/dovecot/.) failed: Operation not permitted
> > 
> > dovecot conf:
> > 
> > # Pigeonhole version 0.5.13 (cdd19fe)
> > # OS: Linux 4.4.0-193-generic x86_64 
> > # Hostname: imap.faudin.de
> > auth_mechanisms = plain login
> > default_internal_group = root
> > default_internal_user = vmail
> > default_login_user = vmail
> > doveadm_password = # hidden, use -P to show it
> > doveadm_port = 2443
> > first_valid_gid = 0
> > imapc_features = rfc822.size fetch-headers
> > imapc_port = 1143
> > imapc_ssl = starttls
> > imapc_ssl_verify = no
> > imapc_user = %u
> > lda_mailbox_autocreate = yes
> > lda_mailbox_autosubscribe = yes
> > log_path = /dev/stderr
> > mail_plugins = " notify replication"
> > mail_prefetch_count = 20
> > mail_privileged_group = root
> > managesieve_notify_capability = mailto
> > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress
> > comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify
> > environment mailbox date index ihave duplicate mime foreverypart extracttext
> > namespace inbox {
> > inbox = yes
> > location = 
> > mailbox Drafts {
> > auto = create
> > special_use = \Drafts
> > }
> > mailbox Junk {
> > auto = create
> > special_use = \Junk
> > }
> > mailbox Sent {
> > auto = create
> > special_use = \Sent
> > }
> > mailbox "Sent Messages" {
> > auto = create
> > special_use = \Sent
> > }
> > mailbox Trash {
> > auto = create
> > special_use = \Trash
> > }
> > prefix = 
> > }
> > passdb {
> > args = /etc/dovecot/dovecot-ldap.conf.ext
> > driver = ldap
> > }
> > plugin {
> > mail_replica = tcp:m.datilo.de:2443
> > postmaster = isomne valid address
> > replication_sync_timeout = 2
> > sieve = file:/var/vmail/sieve/scripts/%u/sieve;active=/var/vmail/sieve/scripts/%u/.dovecot.sieve
> > sieve_after = /etc/dovecot/sieve/sieve-after
> > sieve_before = /etc/dovecot/sieve/sieve-before
> > sieve_default = /etc/dovecot/sieve/default.sieve
> > sieve_dir = /var/vmail/sieve/scripts/%u
> > sieve_global_dir = /var/vmail/sieve
> > }
> > protocols = imap lmtp sieve
> > service aggregator {
> > unix_listener replication-notify {
> > group = root
> > mode = 0666
> > user = vmail
> > }
> > }
> > service anvil {
> > chroot = 
> > }
> > service auth {
> > chroot = 
> > unix_listener auth-client {
> > mode = 0660
> > user = vmail
> > }
> > }
> > service config {
> > unix_listener config {
> > group = root
> > user = vmail
> > }
> > }
> > service doveadm {
> > group = root
> > inet_listener {
> > port = 2443
> > }
> > user = vmail
> > }
> > service imap-login {
> > chroot = 
> > inet_listener imap {
> > port = 1143
> > }
> > inet_listener imaps {
> > port = 1993
> > ssl = yes
> > }
> > }
> > service lmtp {
> > chroot = 
> > inet_listener lmtp {
> > port = 2525
> > }
> > }
> > service managesieve-login {
> > chroot = 
> > inet_listener sieve {
> > port = 4190
> > }
> > }
> > service replicator {
> > process_min_avail = 1
> > unix_listener replicator-doveadm {
> > group = root
> > mode = 0600
> > user = vmail
> > }
> > }
> > ssl = required
> > ssl_cert = </run/secrets/letsencrypt-fullchain
> > ssl_cipher_list =
> > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH:!SSLv2:
> > TLS1.0
> > ssl_client_ca_file = /var/run/secrets/letsencrypt-fullchain
> > ssl_dh = # hidden, use -P to show it
> > ssl_key = # hidden, use -P to show it
> > ssl_min_protocol = TLSv1.2
> > ssl_prefer_server_ciphers = yes
> > submission_host = exim-int-mailout:1587
> > userdb {
> > args = /etc/dovecot/dovecot-ldap.conf.ext
> > driver = ldap
> > }
> > protocol lmtp {
> > mail_plugins = " notify replication sieve"
> > }
> > protocol lda {
> > mail_plugins = " notify replication sieve"
> > }

More information about the dovecot mailing list