Re: [Dovecot] permissions on auth-userdb
On Wed, 2012-06-27 at 08:34 -0400, Charles Marcus wrote: > On 2012-06-27 8:29 AM, Timo Sirainen wrote: > > On 23.6.2012, at 13.34, Charles Marcus wrote: > >> It would be nice if there were a wiki page specifically describing > >> how permissions should be set for all of the services/directories > >> that dovecot uses. > >> > >> Even better would be a dovecot/doveconf command that would test the > >> permissions and, if possible, even fix them (like the postfix > >> 'set-permissions' command)... > > > The problem with those is that it depends on the installation. Each > > user may need different permissions. Many installations don't have a > > way to list users to even do a userdb lookup. I guess it would be > > possible to write such a tool for specific installations where it > > could work, but it wouldn't work everywhere. > > Hmmm... I wonder how postfix does it then... maybe it doesn't have as > many potential variations I guess? Postfix internally doesn't really use anything except root and postfix users. Dovecot can be configured in many different ways to handle mail users and that configuration affects quite a many settings. > Is there maybe just a basic/standard set of permissions that can work > for many installations, then have a way to detect non-standard installs > and just provide a link to a wiki page describing things in more detail? I guess there could be two common settings described: Virtual users with one UID, and system users with multiple UIDs. > Is there a wiki page for this already? I didn't find one... Maybe something could be written under http://wiki2.dovecot.org/UserIds
Re: [Dovecot] permissions on auth-userdb
On 2012-06-27 8:29 AM, Timo Sirainen wrote: On 23.6.2012, at 13.34, Charles Marcus wrote: It would be nice if there were a wiki page specifically describing how permissions should be set for all of the services/directories that dovecot uses. Even better would be a dovecot/doveconf command that would test the permissions and, if possible, even fix them (like the postfix 'set-permissions' command)... The problem with those is that it depends on the installation. Each user may need different permissions. Many installations don't have a way to list users to even do a userdb lookup. I guess it would be possible to write such a tool for specific installations where it could work, but it wouldn't work everywhere. Hmmm... I wonder how postfix does it then... maybe it doesn't have as many potential variations I guess? Is there maybe just a basic/standard set of permissions that can work for many installations, then have a way to detect non-standard installs and just provide a link to a wiki page describing things in more detail? Is there a wiki page for this already? I didn't find one... -- Best regards, Charles
Re: [Dovecot] permissions on auth-userdb
On 23.6.2012, at 13.34, Charles Marcus wrote: > It would be nice if there were a wiki page specifically describing how > permissions should be set for all of the services/directories that dovecot > uses. > > Even better would be a dovecot/doveconf command that would test the > permissions and, if possible, even fix them (like the postfix > 'set-permissions' command)... The problem with those is that it depends on the installation. Each user may need different permissions. Many installations don't have a way to list users to even do a userdb lookup. I guess it would be possible to write such a tool for specific installations where it could work, but it wouldn't work everywhere..
Re: [Dovecot] permissions on auth-userdb
It would be nice if there were a wiki page specifically describing how permissions should be set for all of the services/directories that dovecot uses. Even better would be a dovecot/doveconf command that would test the permissions and, if possible, even fix them (like the postfix 'set-permissions' command)... On 2012-06-22 11:46 AM, robert coore wrote: googlemail.com> writes: Hi.. im still trying to upgrade to 2.0. Im getting: dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=1(vmail) egid=1(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner) the error is correct caus its owned by root. My Questions is who should own it ? Im not sure how that works, what process/user calls the auth-userdb ? The auth-userdb returns the args generated in master.conf, right ? i think comment out the user and group setting in master.conf will fix it but im not sure if that is the securest way. the mails come from postfix via dovecot-lda Hans master.conf service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Its default # permissions make it readable only by root, but you may need to relax these # permissions. Users that have access to this socket are able to get a list # of all usernames and get results of everyone's userdb lookups. unix_listener auth-userdb { mode = 0600 #user = vmail #group = vmail } auth-ldap.conf.ext passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = static args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/ mail=/home/MAILBOXES/%u/mail } Hi all was getting the same errors took me 2 days to understand what it was saying to me but i finally solved it if you do an ls -l /var/run/dovecot/auth-userdb you will seet that root is the owner and the premissions are srw so vmail has not right to call or even use the process What i did was a chown -R vmail:vmail /var/run/dovecot/auth-userdb I also did a chmod g+r /var/run/dovecot/auth-userdb ls -l /var/run/dovecot/auth-userdb srwr-- 1 vmail vmail my unix_listener auth-userdb { mode = 600 { protocol lda { auth_socket_path = /var/run/dovecot/auth-userdb log_path = /home/vmail/dovecot-deliver.log that worked for me 1. havent restarted the dovecot service dont know if it will keep the settings. -- Best regards, Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6200 x224 | 678.514.6299 fax
Re: [Dovecot] permissions on auth-userdb
googlemail.com> writes: > > Hi.. > > im still trying to upgrade to 2.0. > Im getting: > dovecot: lda: Error: userdb lookup: > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > (euid=1(vmail) egid=1(vmail) missing +r perm: > /var/run/dovecot/auth-userdb, euid is not dir owner) > > the error is correct caus its owned by root. My Questions is who should own it ? > Im not sure how that works, what process/user calls the auth-userdb ? > The auth-userdb returns the args generated in master.conf, right ? > > i think comment out the user and group setting in master.conf will fix > it but im not sure if that is the securest way. > > the mails come from postfix via dovecot-lda > > Hans > > master.conf > service auth { > # auth_socket_path points to this userdb socket by default. It's typically > # used by dovecot-lda, doveadm, possibly imap process, etc. Its default > # permissions make it readable only by root, but you may need to relax these > # permissions. Users that have access to this socket are able to get a list > # of all usernames and get results of everyone's userdb lookups. > unix_listener auth-userdb { > mode = 0600 > #user = vmail > #group = vmail > } > > auth-ldap.conf.ext > passdb { > driver = ldap > args = /etc/dovecot/dovecot-ldap.conf.ext > } > userdb { > driver = static > args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/ > mail=/home/MAILBOXES/%u/mail > } > > Hi all was getting the same errors took me 2 days to understand what it was saying to me but i finally solved it if you do an ls -l /var/run/dovecot/auth-userdb you will seet that root is the owner and the premissions are srw so vmail has not right to call or even use the process What i did was a chown -R vmail:vmail /var/run/dovecot/auth-userdb I also did a chmod g+r /var/run/dovecot/auth-userdb ls -l /var/run/dovecot/auth-userdb srwr-- 1 vmail vmail my unix_listener auth-userdb { mode = 600 { protocol lda { auth_socket_path = /var/run/dovecot/auth-userdb log_path = /home/vmail/dovecot-deliver.log that worked for me 1. havent restarted the dovecot service dont know if it will keep the settings.
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, 2010-09-20 at 19:32 +0200, Dieter Knopf wrote: > service auth { > unix_listener auth-master { You need to change auth-userdb, not auth-master > group = vmail > user = vmail > mode = 0600 > > } > } > > Seems like my config part is for the auth-master-sock only. > So i need to at a unix_listener auth-userdb? (static) Or just change the auth-master name to auth-userdb. You're unlikely to need auth-master anyway.
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
2010/9/20 Timo Sirainen : > And when you set those, does auth-userdb socket's owner/group change or > is it still root? Nope :( srw--- 1 rootroot 0 20. Sep 19:28 auth-client srw--- 1 dovecot root 0 20. Sep 19:28 auth-login srw--- 1 vmail vmail 0 20. Sep 19:28 auth-master srw--- 1 rootroot 0 20. Sep 19:28 auth-userdb srw--- 1 dovecot root 0 20. Sep 19:28 auth-worker Config is: service auth { unix_listener auth-master { group = vmail user = vmail mode = 0600 } } Seems like my config part is for the auth-master-sock only. So i need to at a unix_listener auth-userdb? (static) Thanks
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, 2010-09-20 at 18:26 +0200, Dieter Knopf wrote: > 2010/9/20 Timo Sirainen : > > No, it's trying to open it as the mail user, and above shows that it's > > vmail. So make the socket accessible to vmail: > > > > service auth { > > unix_listener auth-userdb { > >user = vmail > > } > > } > > Thanks for the tipp, i added this (again) and still have the error :( > I tested with with group=vmail too. (and restarted after it). And when you set those, does auth-userdb socket's owner/group change or is it still root?
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
2010/9/20 Timo Sirainen : > No, it's trying to open it as the mail user, and above shows that it's > vmail. So make the socket accessible to vmail: > > service auth { > unix_listener auth-userdb { > user = vmail > } > } Thanks for the tipp, i added this (again) and still have the error :( I tested with with group=vmail too. (and restarted after it). It worked fine after i changed the permissions manually (chmod), but this can't be the solution :( 2010-09-20 18:22:50 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner) Thanks
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, Sep 20, 2010 at 14:59:20 +0100, Timo Sirainen wrote: > On Mon, 2010-09-20 at 08:55 +0200, LEVAI Daniel wrote: > > > 2010-09-20 06:28:04 lda: Error: userdb lookup: > > > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > > > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > > > /var/run/dovecot/auth-userdb, euid is not dir owner) > > > > Dovecot tries to open that file with the "default_internal_user" user, > > No, it's trying to open it as the mail user, and above shows that it's > vmail. So make the socket accessible to vmail: Sorry, I wasn't paying enough attention. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, 2010-09-20 at 08:55 +0200, LEVAI Daniel wrote: > > 2010-09-20 06:28:04 lda: Error: userdb lookup: > > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > > /var/run/dovecot/auth-userdb, euid is not dir owner) > > Dovecot tries to open that file with the "default_internal_user" user, No, it's trying to open it as the mail user, and above shows that it's vmail. So make the socket accessible to vmail: service auth { unix_listener auth-userdb { user = vmail } }
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
2010/9/20 LEVAI Daniel : > Dovecot tries to open that file with the "default_internal_user" user, > which is configurable in dovecot.conf. See > # doveconf -h default_internal_user > what is the current user for you. Default user is dovecot like it was with 1.2, but there is a new user dovenull # doveconf -h default_internal_user dovecot Thanks
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, Sep 20, 2010 at 06:34:01 +0200, Dieter Knopf wrote: > Hello, > > first sorry for this question. I already found many threads about this > problem including a thread in this list from August 2010, but nothing > helped :( > > Here is the error: > 2010-09-20 06:28:04 lda: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/ > 2010-09-20 06:28:04 lda: Debug: Module loaded: > /usr/lib/dovecot/modules//lib90_sieve_plugin.so > 2010-09-20 06:28:04 lda: Error: userdb lookup: > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > /var/run/dovecot/auth-userdb, euid is not dir owner) > 2010-09-20 06:28:04 lda: Fatal: Internal error occurred. Refer to > server log for more information. > > srw--- 1 rootroot 0 20. Sep 06:21 auth-userdb Dovecot tries to open that file with the "default_internal_user" user, which is configurable in dovecot.conf. See # doveconf -h default_internal_user what is the current user for you. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
[Dovecot] permissions on auth-userdb Error: userdb lookup
Hello, first sorry for this question. I already found many threads about this problem including a thread in this list from August 2010, but nothing helped :( Here is the error: 2010-09-20 06:28:04 lda: Debug: Loading modules from directory: /usr/lib/dovecot/modules/ 2010-09-20 06:28:04 lda: Debug: Module loaded: /usr/lib/dovecot/modules//lib90_sieve_plugin.so 2010-09-20 06:28:04 lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner) 2010-09-20 06:28:04 lda: Fatal: Internal error occurred. Refer to server log for more information. srw--- 1 rootroot 0 20. Sep 06:21 auth-userdb It worked fine with Dovecot 1.x, i use a static userdb. vmail(5000):vmail(5000) is my standard user/group for /home/vmail/ Here is the config: = listen = 92.198.xx.xx log_path = /var/log/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_gid = 5000 mail_location = maildir:/home/vmail/%d/%n:INDEX=/home/vmail-indexes/%d/%n mail_privileged_group = vmail mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date namespace { inbox = yes location = prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = /home/vmail-sieve/%u/main.sieve sieve_before = /home/vmail/global/before.sieve sieve_dir = /home/vmail-sieve/%u/ sieve_global_dir = /home/vmail-sieve/global/ } protocols = imap service auth { unix_listener auth-master { mode = 0600 } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { address = 92.198.xx.xx } } service pop3-login { inet_listener pop3s { address = 92.198.xx.xx } } ssl_cert =
Re: [Dovecot] permissions on auth-userdb
On Tue, 2010-08-31 at 02:13 +0200, spamv...@googlemail.com wrote: > Hi.. > > im still trying to upgrade to 2.0. > Im getting: > dovecot: lda: Error: userdb lookup: > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > (euid=1(vmail) egid=1(vmail) missing +r perm: > /var/run/dovecot/auth-userdb, euid is not dir owner) You're calling dovecot-lda as the user vmail:vmail, probably from your MTA. Probably it's not being called by anyone else. > service auth { > # auth_socket_path points to this userdb socket by default. It's typically > # used by dovecot-lda, doveadm, possibly imap process, etc. Its default > # permissions make it readable only by root, but you may need to relax these > # permissions. Users that have access to this socket are able to get a list > # of all usernames and get results of everyone's userdb lookups. > unix_listener auth-userdb { > mode = 0600 > #user = vmail > #group = vmail Comment out the user/group lines above and that should work fine.
Re: [Dovecot] permissions on auth-userdb
The Question is if that Process needs to be root or not. And as long as i dont know whos talking to that process and why it runs as default as root i wouldnt touch it. It would make sense if its running as root when userdb is pam to access the files or its running as root because noone should have root rights and so noone can read the whole userdb. In that last case it would be really bad to switch the user from root to vmail :) In my case all mails are stored with user vmail, maybe user vmail needs to be able to read the hole db I dont know :) If someone know, let me know Hans 2010/8/31 Egbert Jan van den Bussche : > Op 31-8-2010 2:13, spamv...@googlemail.com schreef: >> >> Hi.. >> >> im still trying to upgrade to 2.0. >> Im getting: >> dovecot: lda: Error: userdb lookup: >> connect(/var/run/dovecot/auth-userdb) failed: Permission denied >> (euid=1(vmail) egid=1(vmail) missing +r perm: >> /var/run/dovecot/auth-userdb, euid is not dir owner) >> >> the error is correct caus its owned by root. My Questions is who should >> own it ? >> Im not sure how that works, what process/user calls the auth-userdb ? >> The auth-userdb returns the args generated in master.conf, right ? >> >> i think comment out the user and group setting in master.conf will fix >> it but im not sure if that is the securest way. >> >> the mails come from postfix via dovecot-lda >> >> Hans >> >> master.conf >> service auth { >> # auth_socket_path points to this userdb socket by default. It's >> typically >> # used by dovecot-lda, doveadm, possibly imap process, etc. Its default >> # permissions make it readable only by root, but you may need to relax >> these >> # permissions. Users that have access to this socket are able to get a >> list >> # of all usernames and get results of everyone's userdb lookups. >> unix_listener auth-userdb { >> mode = 0600 >> #user = vmail >> #group = vmail >> } >> >> auth-ldap.conf.ext >> passdb { >> driver = ldap >> args = /etc/dovecot/dovecot-ldap.conf.ext >> } >> userdb { >> driver = static >> args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/ >> mail=/home/MAILBOXES/%u/mail >> } > > Had more or less the same fight with 1.2.9. I had to change auth user to the > group 'shadow' (if /etc/shadow is owned by group shadow). Or run auth under > the default user 'root'. > > In your case it has to do with the passdb and/or userdb you use. In my case > I had the problems with local users via pam. > > HTH > Egbert Jan >
Re: [Dovecot] permissions on auth-userdb
Op 31-8-2010 2:13, spamv...@googlemail.com schreef: Hi.. im still trying to upgrade to 2.0. Im getting: dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=1(vmail) egid=1(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner) the error is correct caus its owned by root. My Questions is who should own it ? Im not sure how that works, what process/user calls the auth-userdb ? The auth-userdb returns the args generated in master.conf, right ? i think comment out the user and group setting in master.conf will fix it but im not sure if that is the securest way. the mails come from postfix via dovecot-lda Hans master.conf service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Its default # permissions make it readable only by root, but you may need to relax these # permissions. Users that have access to this socket are able to get a list # of all usernames and get results of everyone's userdb lookups. unix_listener auth-userdb { mode = 0600 #user = vmail #group = vmail } auth-ldap.conf.ext passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = static args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/ mail=/home/MAILBOXES/%u/mail } Had more or less the same fight with 1.2.9. I had to change auth user to the group 'shadow' (if /etc/shadow is owned by group shadow). Or run auth under the default user 'root'. In your case it has to do with the passdb and/or userdb you use. In my case I had the problems with local users via pam. HTH Egbert Jan
[Dovecot] permissions on auth-userdb
Hi.. im still trying to upgrade to 2.0. Im getting: dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=1(vmail) egid=1(vmail) missing +r perm: /var/run/dovecot/auth-userdb, euid is not dir owner) the error is correct caus its owned by root. My Questions is who should own it ? Im not sure how that works, what process/user calls the auth-userdb ? The auth-userdb returns the args generated in master.conf, right ? i think comment out the user and group setting in master.conf will fix it but im not sure if that is the securest way. the mails come from postfix via dovecot-lda Hans master.conf service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Its default # permissions make it readable only by root, but you may need to relax these # permissions. Users that have access to this socket are able to get a list # of all usernames and get results of everyone's userdb lookups. unix_listener auth-userdb { mode = 0600 #user = vmail #group = vmail } auth-ldap.conf.ext passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = static args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/ mail=/home/MAILBOXES/%u/mail }