Re: Permissions for dovecot logging
On Thursday, December 29, 2022 10:17:08 PM AKST Aki Tuomi wrote:
> > On 30/12/2022 05:25 EET James Moe wrote:
> > Permission is still denied.
> > Where do I find information about "status=80/n/a"?
> >
> > I did not include all two of the syslog entries in the previous message:
> > 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file
> > /data01/var/log/dovecot.log: Permission denied
> > 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main
> > process exited, code=exited, status=80/n/a
>
> Maybe you have selinux or apparmor involved? On rhel based systems, selinux
> logs into /var/log/audit/audit.log, dmesg -T is another good thing to
> check.
>
Status=80 I assume is the exit code dovecot threw when it couldn't open the
log file. Whatever "int main()" is programmed to return.
On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
> Dovecot fails to start with the error:
> Can't open log file /data01/var/log/dovecot.log: Permission denied
That error message is typical of a simple unix permission issue, nothing to do
with selinux etc.
On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
> Permissions:
> drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/
> drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/
> drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/
> drwxrwxr-x 1 dovecotusers 22 Dec 27 15:47 /data01/var/log/dovecot/
>
> "dovecot" is a member of "users".
>
> What "permission" am I missing?
If the process isn't running with an effective group id of "users", then it
cannot access that directory simply by virtue of being a member of that group.
The main program has to call setegid() with the proper group id before
attempting to access those files.
On Tuesday, December 27, 2022 10:27:31 PM AKST Aki Tuomi wrote:
> If you want to run log as `dovecot`, you can do so with
>
> service log {
> user = dovecot
> }
Maybe try something like this:
service log {
user = dovecot
group = users
}
Otherwise you might not have the process running with the right effective group
id to access the log file location by unix group permissions.
--
https://justina.abeja.colmena.biz/
Re: Permissions for dovecot logging
> On 30/12/2022 05:25 EET James Moe wrote:
>
>
> On 2022-12-28 00:27, Aki Tuomi wrote:
>
> > The `log` service runs by default as root, not as dovecot.
> >
> Then I do not understand why there is a permissions problem at all. It is
> root!
>
> > If data01 is a NFS mount, then root may become squashed.
> >
> Not an NFS mount. It is local.
>
> > If you want to run log as `dovecot`, you can do so with
> >
> > service log {
> > user = dovecot
> > }
> >
> Permission is still denied.
> Where do I find information about "status=80/n/a"?
>
> I did not include all two of the syslog entries in the previous message:
> 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file
> /data01/var/log/dovecot.log: Permission denied
> 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main process
> exited, code=exited, status=80/n/a
>
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> Think.
Maybe you have selinux or apparmor involved? On rhel based systems, selinux
logs into /var/log/audit/audit.log, dmesg -T is another good thing to check.
Aki
Re: Permissions for dovecot logging
On 2022-12-28 00:27, Aki Tuomi wrote:
> The `log` service runs by default as root, not as dovecot.
>
Then I do not understand why there is a permissions problem at all. It is
root!
> If data01 is a NFS mount, then root may become squashed.
>
Not an NFS mount. It is local.
> If you want to run log as `dovecot`, you can do so with
>
> service log {
> user = dovecot
> }
>
Permission is still denied.
Where do I find information about "status=80/n/a"?
I did not include all two of the syslog entries in the previous message:
2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file
/data01/var/log/dovecot.log: Permission denied
2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main process
exited, code=exited, status=80/n/a
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
Re: Permissions for dovecot logging
> On 28/12/2022 01:19 EET James Moe wrote:
>
>
> dovecot 2.3.15
> opensuse LEAP 15.4
>
> I changed logging to use a path rather than syslog. Doing so makes it easier
> to work with fail2ban.
> Dovecot fails to start with the error:
> Can't open log file /data01/var/log/dovecot.log: Permission denied
>
> Permissions:
> drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/
> drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/
> drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/
> drwxrwxr-x 1 dovecotusers 22 Dec 27 15:47 /data01/var/log/dovecot/
>
> "dovecot" is a member of "users".
>
> What "permission" am I missing?
>
> Note: A long time ago I had a problem with programs consuming all available
> space on the system disk with log or backup files. I have since gotten in the
> habit of putting log files on a non-system disk.
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> Think.
Hi!
Dovecot drops all extra group memberships from processes when spawning them
unless told otherwise. The `log` service runs by default as root, not as
dovecot. If data01 is a NFS mount, then root may become squashed.
If you want to run log as `dovecot`, you can do so with
service log {
user = dovecot
}
Aki
