uid problem

Aki Tuomi aki.tuomi at dovecot.fi
Tue Jul 31 13:46:18 EEST 2018 

Well, I don't know about yuuuge security risk (not saying there isn't
any...), but if this concerns you, you can also use LTMP instead, which
is probably a better solution here.

Aki


On 31.07.2018 13:42, Andras Kemeny wrote:
>
> yeah, the only problem about that is it's a yuuuge security risk :),
> and also, postfix simply won't let me:
>
> Jul 31 02:20:37 rhyno postfix/pipe[29532]: fatal: user= command-line
> attribute specifies root privileges
>
> so it's entirely possible i'm knocking on the wrong door, and instead
> i should be asking this in the postfix mailing list.
>
> however, i'm also worried about this: "to bypass this check, set:
> service auth { unix_listener /var/run/dovecot/auth-userdb { mode=0777
> } }", as i have done what it says, and the check wasn't bypassed so
> i'm wary about something bad coming up once i somehow fix this initial
> UID problem.
>
> thanks,
> a
>
>
> 2018. 07. 31. 7:12 keltezéssel, Aki Tuomi írta:
>> You could run dovecot-lda as root. It will setuid to correct account.
>>
>>
>>
>> ---
>> Aki Tuomi
>> Dovecot oy
>>
>> -------- Original message --------
>> From: Andras Kemeny <pdx at pdx.hu>
>> Date: 31/07/2018 04:46 (GMT+02:00)
>> To: dovecot at dovecot.org
>> Subject: uid problem
>>
>> hi,
>>
>> contacting this mailing list is my last-ditch effort to somehow come to
>> a working configuration where postfix "ends in" dovecot, IE for special
>> LDAP-based users, featured in the virtual mailbox delivery, dovecot
>> would act as LDA.
>>
>> here's the deal.
>>
>> i've set up dovecot's access to the LDAP server, and for the purposes of
>> being an IMAP server and a SASL auth backend, dovecot works brilliantly
>> and without a glitch. i can access my test mailbox (in maildir format),
>> i can use the LDA as root and it delivers the message correctly (after a
>> switch to the target user's UID), and even postfix's submission works
>> with dovecot as its SASL backend.
>>
>> what does not work is dovecot as LDA from postfix.
>>
>> i'm getting these errors in the log:
>>
>> Jul 31 03:40:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER
>> lookup failed
>> Jul 31 03:40:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't
>> have lookup permissions for this user: userdb uid (10001) doesn't match
>> peer uid (5000) (to bypass this check, set: service auth { unix_listener
>> /var/run/dovecot/auth-userdb { mode=0777 } })
>> Jul 31 03:40:40 rhyno dovecot: lda: Fatal: Internal error occurred.
>> Refer to server log for more information.
>>
>> for the sake of clarity, i've tried the "to bypass this check"
>> instructions, didn't help.
>>
>> also, for the sake of operational clarity, "aik" is the LDAP account
>> with the following parameters:
>>
>> dn: uid=aik,ou=People,dc=rhyno,dc=tech
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: postfixUser
>> cn: aik
>> uid: aik
>> uidNumber: 10001
>> gidNumber: 10001
>> homeDirectory: /home/aik
>> loginShell: /bin/sh
>> gecos: aik
>> description: User account
>> structuralObjectClass: account
>> entryUUID: db947584-0369-1038-98b3-675e2f0cea17
>> creatorsName: cn=admin,dc=rhyno,dc=tech
>> createTimestamp: 20180613152616Z
>> email: ***********
>> userPassword:: *************************
>> mailacceptinggeneralid: andras.kemeny
>> mailacceptinggeneralid: kemeny.andras
>> mailacceptinggeneralid: aik
>> mailacceptinggeneralid: pdx
>> mailacceptinggeneralid: @rhyno.tech
>> mailacceptinggeneralid: @rhynotechnologies.com
>> maildrop: aik
>>
>> and postfix's master.cf says:
>>
>> dovecot   unix  -       n       n       -       -       pipe
>>   flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f
>> ${sender} -d ${user}
>>
>> so i'm stuck at this point. obviously, if the LDA is spawned with
>> vmail:vmail perms, it cannot become uid 10001 (btw, the LDAP and passwd
>> accounts were once connected, but for security reasons, the connection
>> has been severed -- still the /home/aik/mail dir is owned by uid
>> 10001 etc).
>>
>> what am i doint wrong?
>>
>> thanks,
>> a
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180731/0f575037/attachment-0001.html>

More information about the dovecot mailing list