[Dovecot] sievec - manual compile of global sieve scripts?

Thomas Harold thomas-lists at nybeta.com
Tue Aug 2 15:32:49 EEST 2011


On 8/1/2011 8:43 PM, Stephan Bosch wrote:
> On 8/1/2011 10:11 PM, Thomas Harold wrote:
>> How do you compile global scripts using the sievec command without
>> making the script directory owned (and group writable) by the vmail user?
>>
>> http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
>>
>> # cd /etc/dovecot/sieve/before/
>> # (edit some script like spam.sieve that runs for everyone)
>> # /usr/local/bin/sievec spam.sieve spam.svbin
>>
>> sievec(root): Error: sieve: binary save: failed to create temporary
>> file: open(spam.svbin.hostname.26921.) in directory
>> /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail)
>> egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is
>> not dir owner)
>
> Why are you executing sievec as vmail in the first place? You should be
> able to run it as root or any other user you use to manage global sieve
> scripts.
>

Sorry, I may not have been clear before, I am trying to run sievec as 
root.  So the error is confusing to me because it looks like sievec is 
trying to drop privs and do the compile as the vmail user.  I haven't 
done anything special to the sievec file (like making it run as vmail or 
always run as root, SELinux is in permissive mode until I gather up 
enough entries in the audit log to make an audit2allow run useful).

# ls -la /usr/local/bin
-rwxr-xr-x  1 root root 123989 Aug  1 12:25 sievec
-rwxr-xr-x  1 root root 119415 Aug  1 12:25 sieve-dump
-rwxr-xr-x  1 root root 133592 Aug  1 12:25 sieve-test

As a workaround, I may temporarily alter my Makefile to set the 
directory writable by the vmail group, compile the scripts, then set the 
directory read-only again.  The files end up owned as vmail:vmail when I 
do that, even though I execute the "sievec" command as root.

# /usr/local/bin/sievec sortspam.sieve sortspam.svbin
-rw-rw-r-- 1 root  root   477 Aug  1 15:33 sortspam.sieve
-rw-rw-r-- 1 vmail vmail  321 Aug  2 08:26 sortspam.svbin

...

My current Makefile.

# cat Makefile
# http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#scriptcompile
SIEVEC=/usr/local/bin/sievec

SRCS=$(wildcard *.sieve)
OBJS=$(SRCS:.sieve=.svbin)

all: $(OBJS)

%.svbin : %.sieve
         $(SIEVEC) $? $@




More information about the dovecot mailing list