Re: [Dovecot] Dovecot 2.0beta3: Auth master process is now running as default_internal_user
On Sun, 2010-03-14 at 20:41 +0100, Thomas Leuxner wrote: Hi, with 'changeset 10910' the Auth master process is running as 'default_internal_user' now (dovecot). This requires permissions tuning for 'passwd-files' at least, while other plugins would run in a different user context, 'vmail' in my setup. I see that this may be safer, just wondering how to streamline the config: [20:27] root spectre:/var/vmail/conf.d# l drwxr-x--- 4 dovecot vmail 4096 2010-03-14 17:40 leuxner.net .. drwx-- 2 vmail vmail 4096 2010-03-14 13:09 acls Why does vmail own any of these files? Dovecot accesses them only via dovecot-auth. Do you have something else that needs to read/write them as vmail? I think the best solutions are (in order): 1) Create a new doveauth user that has read (but no write) access to the files. Use doveauth for auth process. 2) Use root user for files and auth process. 3) Use dovecot user for files and auth process. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot 2.0beta3: Auth master process is now running as default_internal_user
Am 16.03.2010 um 20:57 schrieb Timo Sirainen:
[20:27] root spectre:/var/vmail/conf.d# l
drwxr-x--- 4 dovecot vmail 4096 2010-03-14 17:40 leuxner.net
..
drwx-- 2 vmail vmail 4096 2010-03-14 13:09 acls
Why does vmail own any of these files? Dovecot accesses them only via
dovecot-auth. Do you have something else that needs to read/write them
as vmail?
I think the best solutions are (in order):
1) Create a new doveauth user that has read (but no write) access to the
files. Use doveauth for auth process.
2) Use root user for files and auth process.
3) Use dovecot user for files and auth process.
Right, if I'd like to go with 1) where would I put the 'doveauth' user in the
config to have 'passwd' read with it? Looks like it is still using 'dovecot'
per default:
service auth {
unix_listener auth-userdb {
mode = 0600
user = doveauth
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service auth-worker {
unix_listener auth-worker {
mode = 0600
user = doveauth
}
}
The reason 'vmail' is the group owner of the 'sieve' and 'acl' subdirs was the
idea to have all config stored under the 'domain.tld' folder. The LMTP Service
will access this folder with the user permissions.
Regards
Thomas
Re: [Dovecot] Dovecot 2.0beta3: Auth master process is now running as default_internal_user
On Tue, 2010-03-16 at 21:45 +0100, Thomas Leuxner wrote:
1) Create a new doveauth user that has read (but no write) access to the
files. Use doveauth for auth process.
Right, if I'd like to go with 1) where would I put the 'doveauth' user in the
config to have 'passwd' read with it? Looks like it is still using 'dovecot'
per default:
service auth {
unix_listener auth-userdb {
mode = 0600
user = doveauth
}
Don't use it for unix_listeners. Just:
service auth {
user = doveauth
}
service auth-worker {
user = doveauth
}
signature.asc
Description: This is a digitally signed message part
[Dovecot] Dovecot 2.0beta3: Auth master process is now running as default_internal_user
Hi,
with 'changeset 10910' the Auth master process is running as
'default_internal_user' now (dovecot). This requires permissions tuning for
'passwd-files' at least, while other plugins would run in a different user
context, 'vmail' in my setup. I see that this may be safer, just wondering how
to streamline the config:
[20:27] root spectre:/var/vmail/conf.d# l
drwxr-x--- 4 dovecot vmail 4096 2010-03-14 17:40 leuxner.net
[20:27] root spectre:/var/vmail/conf.d# l leuxner.net/
drwx-- 2 vmail vmail 4096 2010-03-14 13:09 acls
-r 1 dovecot vmail 125 2010-02-07 13:08 passwd
drwx-- 2 vmail vmail 4096 2010-03-14 12:13 sieve
[20:27] root spectre:/var/vmail/conf.d# cat leuxner.net/passwd
t...@leuxner.net:{SSHA}:5000:5000::/var/vmail/leuxner.net/tlx::userdb_quota_rule=*:storage=5G
[…]
Regards
Thomas
