Re: [Dovecot] Permissions problems

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 27 Nov 2013, Google wrote:


Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot.index.log.newlock,
/mpool/mail/mark/dovecot.index.log) failed: Permission denied


That's a filesystem problem.


The output from doveconf -n (this is changes from the default settings I
think?) is:

root@proliant-1:~# doveconf -n
# 2.0.20: /etc/opt/csw/dovecot/dovecot.conf
# OS: SunOS 5.11 i86pc  zfs
auth_first_valid_uid = 101
disable_plaintext_auth = no
first_valid_uid = 101
mail_location = maildir:/mpool/mail/%u
passdb {
driver = pam
}
ssl_cert = /opt/csw/ssl/certs/dovecot.pem
ssl_key = /opt/csw/ssl/private/dovecot.pem
userdb {
driver = passwd
}

The mail_location is in a ZFS filesystem on my RAIDz array. I couldnt think
of any other way of creating user-specific folders in the location. As the value
suggests, each user gets their own directory on the filesystem for mail.


The users do have distinct home directories (from passwd) separated from 
the mail location?



Is this still a ‘safe’ way to do things or would I be better off relocating each
user’s ‘home’ directory to the pool somehow?

This is what the directory currently looks like:

mark@proliant-1:~$ ls -la /mpool/mail
total 6
drwxrwxrwx+ 3 root root  3 2013-11-24 17:17 .
drwxr-xr-x+ 5 root root  5 2013-11-24 13:50 ..
drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark

mark@proliant-1:~$ ls -la /mpool/mail/mark/
total 14
drwxrwxrwx+ 5 mark staff  9 2013-11-24 22:20 .
drwxrwxrwx+ 3 root root   3 2013-11-24 17:17 ..
drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 cur
-rwxrwxrwx+ 1 mark staff 51 2013-11-24 22:20 dovecot-uidlist.tmp
-rwxrwxrwx+ 1 mark staff  8 2013-11-24 22:20 dovecot-uidvalidity
-rwxrwxrwx+ 1 mark staff  0 2013-11-24 17:17 dovecot-uidvalidity.529234ad
-rwxrwxrwx+ 1 mark staff 40 2013-11-24 22:20 dovecot.index.log.newlock
drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 new
drwxrwxrwx+ 2 mark staff  3 2013-11-24 17:21 tmp

Any ideas?


is it possible that two Dovecot instances try to access the same storage ? 
Or is there some hardening (SELinux/AppArmor) in action? Or are there some 
special ACLs in ZFS that prevent that rename() operation on file system 
level? Does the user mark has the permission at all?


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUpW1n13r2wJMiz2NAQL6+wf/UdkI0kKZKwRT1+VgSxE2QJqVwrDr0GN2
IK5fljL3Hnx4PDjnofEJ6yXT7xJGTveaZ9yQahQbx0oakBBTKsEgZsNxBB+TOyjE
MsYBzYbQKK+JqR7yUt3YwnJXmPrCATOhd0WKqgX4xb94X4nn3id2/l3bjqNnQUtm
QPB2r+gVT2AtisB5Onzaocf7wdkPoMD1vMaW+Z9VqSBvzWzezoxoEXDbButWkrQf
C1K0r+eK+IU3KxXboZ2ceu4QqlFth8GlOX9F9e2zFfRJ747qJcmEI9wxfbqCkBKs
ic+A//km4mv6Y6erObBOj/jtT82jm7P0RBWBKkmKnO6Fg7AI/GIvQg==
=qGop
-END PGP SIGNATURE-

Re: [Dovecot] Permissions problems

[Mark Benson]

 That's a filesystem problem.

I figured as much.

 The users do have distinct home directories (from passwd) separated from
the mail location?

Yeah, in this case /home/mark is the home folder.  If necessary I can
remove the mail_location directive and test using the users home dir and
see if that fails (also on ZFS but in the root storage pool).

 is it possible that two Dovecot instances
 try to access the same storage ? Or is
 there some hardening (SELinux/
 AppArmor) in action?

The dovecot mail system is running on OpenSolaris (OpenIndiana to be
precise) and uses Solaris's Service Management (smf) to stop and start. I
am relatively sure SMF won't let 2 instances run at once.

 Or are there some special ACLs in ZFS that
 prevent that rename() operation on file
 system level? Does the user mark has the  permission at all?

Not certain. I don't think so and I certainly didn't enable anything along
those lines but this is my first deployment on Solaris so I'm a little out
of my depth. I'm used to Debian Linux.

-- 

Mark

Re: [Dovecot] Permissions problems

[Joseph Tam]

md.ben...@gmail.com wrote:


Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot.index.log.newlock,
/mpool/mail/mark/dovecot.index.log) failed: Permission denied
...
This is what the directory currently looks like:

mark@proliant-1:~$ ls -la /mpool/mail
total 6
drwxrwxrwx+ 3 root root  3 2013-11-24 17:17 .
drwxr-xr-x+ 5 root root  5 2013-11-24 13:50 ..
drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark


I'm think the + is the problem: you have, in the words of the manpage for ls,

... this character is a plus sign (+) character if a non-trivial
ACL is associated with the file ...

Try

ls -alv /mpool/mail

I don't use ACLs, so I can help you how to modify them.

Joseph Tam jtam.h...@gmail.com

[Dovecot] Permissions problems

[Google]

Hi,

I have dovecot 2.0.20 running (its an old version, I know, it came from the
stable archive at OpenCSW) with Solaris SMF integration working fine. It
enables and disables okay.

However, I cantt connect to it, it is allowing the connection, but spewing on
permissions:

Nov 24 17:34:20 proliant-1 dovecot: [ID 583609 mail.info] master: Dovecot
v2.0.20 starting up
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=mark, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18816
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=mark, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18818
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=mark, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18820
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap(mark):
Connection closed bytes=17/340
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.info] imap-login: Login:
user=mark, method=PLAIN, rip=192.168.1.69, lip=192.168.1.72, mpid=18822
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot.index.log.newlock,
/mpool/mail/mark/dovecot.index.log) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
rename(/mpool/mail/mark/dovecot-uidlist.tmp, /mpool/mail/mark/dovecot-uidlist)
failed: Permission denied
Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error:
unlink(/mpool/mail/mark/dovecot-uidlist.tmp) failed: Permission denied

If I actually try to copy mail to the inbox of the account it core-dumps and
does, and the SMF service drops into maintenance mode which requires
re-enabling.

The output from doveconf -n (this is changes from the default settings I
think?) is:

root@proliant-1:~# doveconf -n
# 2.0.20: /etc/opt/csw/dovecot/dovecot.conf
# OS: SunOS 5.11 i86pc  zfs
auth_first_valid_uid = 101
disable_plaintext_auth = no
first_valid_uid = 101
mail_location = maildir:/mpool/mail/%u
passdb {
 driver = pam
}
ssl_cert = /opt/csw/ssl/certs/dovecot.pem
ssl_key = /opt/csw/ssl/private/dovecot.pem
userdb {
 driver = passwd
}

The mail_location is in a ZFS filesystem on my RAIDz array. I couldnt think
of any other way of creating user-specific folders in the location. As the value
suggests, each user gets their own directory on the filesystem for mail.

Is this still a ‘safe’ way to do things or would I be better off relocating each
user’s ‘home’ directory to the pool somehow?

This is what the directory currently looks like:

mark@proliant-1:~$ ls -la /mpool/mail
total 6
drwxrwxrwx+ 3 root root  3 2013-11-24 17:17 .
drwxr-xr-x+ 5 root root  5 2013-11-24 13:50 ..
drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark

mark@proliant-1:~$ ls -la /mpool/mail/mark/
total 14
drwxrwxrwx+ 5 mark staff  9 2013-11-24 22:20 .
drwxrwxrwx+ 3 root root   3 2013-11-24 17:17 ..
drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 cur
-rwxrwxrwx+ 1 mark staff 51 2013-11-24 22:20 dovecot-uidlist.tmp
-rwxrwxrwx+ 1 mark staff  8 2013-11-24 22:20 dovecot-uidvalidity
-rwxrwxrwx+ 1 mark staff  0 2013-11-24 17:17 dovecot-uidvalidity.529234ad
-rwxrwxrwx+ 1 mark staff 40 2013-11-24 22:20 dovecot.index.log.newlock
drwxrwxrwx+ 2 mark staff  2 2013-11-24 17:17 new
drwxrwxrwx+ 2 mark staff  3 2013-11-24 17:21 tmp

Any ideas?

-- 

Mark Benson

http://DECtec.info
Twitter: @DECtecInfo
HECnet: STAR69::MARK

Online Resource  Mailing List for DEC Enthusiasts.