[Dovecot] auth-master: Permission denied [sigh]
Timo Sirainen
tss at iki.fi
Tue Apr 14 21:41:49 EEST 2009
On Tue, 2009-04-14 at 10:22 -0700, James Butler wrote:
> > On Mon, 2009-04-13 at 15:48 -0700, James Butler wrote:
> >> 1) User 'spam:dovecot' runs Smapassassin
> >> 2) Hands off to deliver (root:dovecot)
> >
> > Have you set up some kind of setuid-root deliver, or why is it running
> > as root:dovecot here instead of spam:dovecot?
>
> I have no idea how it is running, except for these clues:
>
> 1) Deliver is owned by root:dovecot
That makes no difference what the file's owner is.
> 2) When Spamassassin executes and then its output gets piped to Deliver
> WITHOUT a '-d ${user}' parameter, mail gets delivered to 'spam'
>
> So it seems like Spamassassin IS running as user 'spam:dovecot'.
Not necessarily.
> Then it hands off to Deliver which starts out as being owned by
> root:dovecot. The runtime parameters instruct Deliver to switch from its
> default ownership to 'user1:dovecot', AFAICT.
deliver can't change any ownership to anything unless it runs as root,
which can't happen unless spamassassin somehow executes deliver as root,
which I doubt.
I'm pretty sure the problem is that spamassassin isn't running as
spam:dovecot.
> >> 3) Deliver assumes 'user1:dovecot' identity
> >> 4) Can't access auth-master in 'root:dovecot' directory (777)
> >
> > 4) happens before 3).
>
> But my error (4) is labeled with:
>
> deliver(user1):
>
> Does that not indicate that Deliver has switched from its default
> ownership to run as 'user1',
No. The "user1" just means that it's going to deliver the mail to that
user. It doesn't tell anything about what permissions the process is
actually running with.
> > My guess is that deliver isn't really started with dovecot group
> > permission.
>
> My settings in Postfix's master.cf instruct:
>
> /usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}
>
> If: ${user} = user1:dovecot
>
> Then isn't deliver being executed as user1:dovecot?
No. You didn't show the full master.cf line. Typically deliver is
executed via pipe, such as:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
The important part there is the user=vmail:vmail part. It's executed as
that user.
> And would I really need to put ALL of my users into the same (dovecot)
> group just to be able to get mail to them? That would make little sense to
> me, as the whole point of using groups would be eliminated.
If you're using multiple UIDs, you typically have to run deliver as
setuid-root: http://wiki.dovecot.org/LDA#multipleuids
> The only thing I know for sure is that when I use the '-d ${user}'
> parameter in master.cf, the ${user} has no permission to access/execute
> auth-master, regardless of '/var/run/dovecot' directory permissions.
>
> If I omit that parameter, and let Deliver keep running as user 'spam',
> mail gets delivered (to 'spam').
Without -d parameter deliver doesn't do auth lookup at all, it just
tries to figure out where to save the mail using the environment.
> Here's my Deliver ownership/perms, again:
>
> -rwxr-xr-x 1 root dovecot 4044835 2009-04-03 13:52 deliver
>
> Shouldn't there be an 's' in there, somewhere?
If there's a 's' in there, then deliver is running setuid-root. It
sounds like that's what you want.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090414/4c6f3b06/attachment.bin
More information about the dovecot
mailing list