Re: [Dovecot] Can't drop root group privileges
An update on my problem dropping root group privileges. I discovered this is a problem for a user if they are in the system group (gid 0). If I remove the user from the system group, and leave them in their primary group, I don't see the error.
I've tried setting first_valid_gid to something like 4, hoping dovecot would filter out gid 0, but that doesn't work.
Still searching for an answer...
Jackie
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958
Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu
Found what was causing the problem!
In the file src/lib/restrict-access.c, in the restrict_access_by_env routine the code is in place to change to the login user's group and uid. After this, a check is done to see verify gid and egid are not 0 and [this is the gotcha] that gid can not be set to 0.
if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {
if (gid == 0)
i_fatal("GID 0 isn't permitted");
i_fatal("We couldn't drop root group privileges "
"(wanted=%s, gid=%s, egid=%s)", dec2str(gid),
dec2str(getgid()), dec2str(getegid()));
}
In our environment, some users are part of group 0 (system group), in addition to their primary group, so this operation is successful, and thus we see the error about not being about to drop root group privileges.
My solution is to change the first if statement to:
if (getgid() == 0 || getegid() == 0) {
since the setgid test is too restrictive for our environment.
Comments/suggestions/analysis welcome. Glad to know what is finally happening!
Jackie
Jackie Hunt
ACNS Voice: (970) 663-3789
Colorado State University FAX: (970) 491-1958
Fort Collins, CO 80523 Email: jackie.hunt@colostate.edu
On Fri, 2006-12-01 at 11:35 -0700, Jackie Hunt wrote:
Usually the problem has been that user's primary group is the group 0. There were 2 bugs in this anyway, fixed both:
http://dovecot.org/list/dovecot-cvs/2006-December/006999.html
participants (2)
-
Jackie Hunt
-
Timo Sirainen