Re: [Dovecot] permissions on auth-userdb
On Wed, 2012-06-27 at 08:34 -0400, Charles Marcus wrote: > On 2012-06-27 8:29 AM, Timo Sirainen wrote: > > On 23.6.2012, at 13.34, Charles Marcus wrote: > >> It would be nice if there were a wiki page specifically describing > >> how permissions should be set for all of the services/directories > >> that dovecot uses. > >> > >> Even better would be a dovecot/doveconf command that would test the > >> permissions and, if possible, even fix them (like the postfix > >> 'set-permissions' command)... > > > The problem with those is that it depends on the installation. Each > > user may need different permissions. Many installations don't have a > > way to list users to even do a userdb lookup. I guess it would be > > possible to write such a tool for specific installations where it > > could work, but it wouldn't work everywhere. > > Hmmm... I wonder how postfix does it then... maybe it doesn't have as > many potential variations I guess? Postfix internally doesn't really use anything except root and postfix users. Dovecot can be configured in many different ways to handle mail users and that configuration affects quite a many settings. > Is there maybe just a basic/standard set of permissions that can work > for many installations, then have a way to detect non-standard installs > and just provide a link to a wiki page describing things in more detail? I guess there could be two common settings described: Virtual users with one UID, and system users with multiple UIDs. > Is there a wiki page for this already? I didn't find one... Maybe something could be written under http://wiki2.dovecot.org/UserIds
Re: [Dovecot] permissions on auth-userdb
On 2012-06-27 8:29 AM, Timo Sirainen wrote: On 23.6.2012, at 13.34, Charles Marcus wrote: It would be nice if there were a wiki page specifically describing how permissions should be set for all of the services/directories that dovecot uses. Even better would be a dovecot/doveconf command that would test the permissions and, if possible, even fix them (like the postfix 'set-permissions' command)... The problem with those is that it depends on the installation. Each user may need different permissions. Many installations don't have a way to list users to even do a userdb lookup. I guess it would be possible to write such a tool for specific installations where it could work, but it wouldn't work everywhere. Hmmm... I wonder how postfix does it then... maybe it doesn't have as many potential variations I guess? Is there maybe just a basic/standard set of permissions that can work for many installations, then have a way to detect non-standard installs and just provide a link to a wiki page describing things in more detail? Is there a wiki page for this already? I didn't find one... -- Best regards, Charles
Re: [Dovecot] permissions on auth-userdb
On 23.6.2012, at 13.34, Charles Marcus wrote: > It would be nice if there were a wiki page specifically describing how > permissions should be set for all of the services/directories that dovecot > uses. > > Even better would be a dovecot/doveconf command that would test the > permissions and, if possible, even fix them (like the postfix > 'set-permissions' command)... The problem with those is that it depends on the installation. Each user may need different permissions. Many installations don't have a way to list users to even do a userdb lookup. I guess it would be possible to write such a tool for specific installations where it could work, but it wouldn't work everywhere..
Re: [Dovecot] permissions on auth-userdb
It would be nice if there were a wiki page specifically describing how
permissions should be set for all of the services/directories that
dovecot uses.
Even better would be a dovecot/doveconf command that would test the
permissions and, if possible, even fix them (like the postfix
'set-permissions' command)...
On 2012-06-22 11:46 AM, robert coore wrote:
googlemail.com> writes:
Hi..
im still trying to upgrade to 2.0.
Im getting:
dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=1(vmail) egid=1(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
the error is correct caus its owned by root. My Questions is who should own
it ?
Im not sure how that works, what process/user calls the auth-userdb ?
The auth-userdb returns the args generated in master.conf, right ?
i think comment out the user and group setting in master.conf will fix
it but im not sure if that is the securest way.
the mails come from postfix via dovecot-lda
Hans
master.conf
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax
these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener auth-userdb {
mode = 0600
#user = vmail
#group = vmail
}
auth-ldap.conf.ext
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/
mail=/home/MAILBOXES/%u/mail
}
Hi all was getting the same errors took me 2 days to understand what it was
saying to me but i finally solved it
if you do an ls -l /var/run/dovecot/auth-userdb you will seet that root is the
owner and the premissions are srw so vmail has not right to call or
even use the process
What i did was a chown -R vmail:vmail /var/run/dovecot/auth-userdb
I also did a chmod g+r /var/run/dovecot/auth-userdb
ls -l /var/run/dovecot/auth-userdb
srwr-- 1 vmail vmail
my unix_listener auth-userdb {
mode = 600
{
protocol lda {
auth_socket_path = /var/run/dovecot/auth-userdb
log_path = /home/vmail/dovecot-deliver.log
that worked for me
1. havent restarted the dovecot service dont know if it will keep the settings.
--
Best regards,
Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6200 x224 | 678.514.6299 fax
Re: [Dovecot] permissions on auth-userdb
googlemail.com> writes:
>
> Hi..
>
> im still trying to upgrade to 2.0.
> Im getting:
> dovecot: lda: Error: userdb lookup:
> connect(/var/run/dovecot/auth-userdb) failed: Permission denied
> (euid=1(vmail) egid=1(vmail) missing +r perm:
> /var/run/dovecot/auth-userdb, euid is not dir owner)
>
> the error is correct caus its owned by root. My Questions is who should own
it ?
> Im not sure how that works, what process/user calls the auth-userdb ?
> The auth-userdb returns the args generated in master.conf, right ?
>
> i think comment out the user and group setting in master.conf will fix
> it but im not sure if that is the securest way.
>
> the mails come from postfix via dovecot-lda
>
> Hans
>
> master.conf
> service auth {
> # auth_socket_path points to this userdb socket by default. It's typically
> # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
> # permissions make it readable only by root, but you may need to relax
these
> # permissions. Users that have access to this socket are able to get a list
> # of all usernames and get results of everyone's userdb lookups.
> unix_listener auth-userdb {
> mode = 0600
> #user = vmail
> #group = vmail
> }
>
> auth-ldap.conf.ext
> passdb {
> driver = ldap
> args = /etc/dovecot/dovecot-ldap.conf.ext
> }
> userdb {
> driver = static
> args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/
> mail=/home/MAILBOXES/%u/mail
> }
>
>
Hi all was getting the same errors took me 2 days to understand what it was
saying to me but i finally solved it
if you do an ls -l /var/run/dovecot/auth-userdb you will seet that root is the
owner and the premissions are srw so vmail has not right to call or
even use the process
What i did was a chown -R vmail:vmail /var/run/dovecot/auth-userdb
I also did a chmod g+r /var/run/dovecot/auth-userdb
ls -l /var/run/dovecot/auth-userdb
srwr-- 1 vmail vmail
my unix_listener auth-userdb {
mode = 600
{
protocol lda {
auth_socket_path = /var/run/dovecot/auth-userdb
log_path = /home/vmail/dovecot-deliver.log
that worked for me
1. havent restarted the dovecot service dont know if it will keep the settings.
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, 2010-09-20 at 19:32 +0200, Dieter Knopf wrote:
> service auth {
> unix_listener auth-master {
You need to change auth-userdb, not auth-master
> group = vmail
> user = vmail
> mode = 0600
>
> }
> }
>
> Seems like my config part is for the auth-master-sock only.
> So i need to at a unix_listener auth-userdb? (static)
Or just change the auth-master name to auth-userdb. You're unlikely to
need auth-master anyway.
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
2010/9/20 Timo Sirainen :
> And when you set those, does auth-userdb socket's owner/group change or
> is it still root?
Nope :(
srw--- 1 rootroot 0 20. Sep 19:28 auth-client
srw--- 1 dovecot root 0 20. Sep 19:28 auth-login
srw--- 1 vmail vmail 0 20. Sep 19:28 auth-master
srw--- 1 rootroot 0 20. Sep 19:28 auth-userdb
srw--- 1 dovecot root 0 20. Sep 19:28 auth-worker
Config is:
service auth {
unix_listener auth-master {
group = vmail
user = vmail
mode = 0600
}
}
Seems like my config part is for the auth-master-sock only.
So i need to at a unix_listener auth-userdb? (static)
Thanks
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, 2010-09-20 at 18:26 +0200, Dieter Knopf wrote:
> 2010/9/20 Timo Sirainen :
> > No, it's trying to open it as the mail user, and above shows that it's
> > vmail. So make the socket accessible to vmail:
> >
> > service auth {
> > unix_listener auth-userdb {
> >user = vmail
> > }
> > }
>
> Thanks for the tipp, i added this (again) and still have the error :(
> I tested with with group=vmail too. (and restarted after it).
And when you set those, does auth-userdb socket's owner/group change or
is it still root?
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
2010/9/20 Timo Sirainen :
> No, it's trying to open it as the mail user, and above shows that it's
> vmail. So make the socket accessible to vmail:
>
> service auth {
> unix_listener auth-userdb {
> user = vmail
> }
> }
Thanks for the tipp, i added this (again) and still have the error :(
I tested with with group=vmail too. (and restarted after it).
It worked fine after i changed the permissions manually (chmod), but
this can't be the solution :(
2010-09-20 18:22:50 lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=5000(vmail) egid=5000(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
Thanks
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, Sep 20, 2010 at 14:59:20 +0100, Timo Sirainen wrote: > On Mon, 2010-09-20 at 08:55 +0200, LEVAI Daniel wrote: > > > 2010-09-20 06:28:04 lda: Error: userdb lookup: > > > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > > > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > > > /var/run/dovecot/auth-userdb, euid is not dir owner) > > > > Dovecot tries to open that file with the "default_internal_user" user, > > No, it's trying to open it as the mail user, and above shows that it's > vmail. So make the socket accessible to vmail: Sorry, I wasn't paying enough attention. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, 2010-09-20 at 08:55 +0200, LEVAI Daniel wrote:
> > 2010-09-20 06:28:04 lda: Error: userdb lookup:
> > connect(/var/run/dovecot/auth-userdb) failed: Permission denied
> > (euid=5000(vmail) egid=5000(vmail) missing +r perm:
> > /var/run/dovecot/auth-userdb, euid is not dir owner)
>
> Dovecot tries to open that file with the "default_internal_user" user,
No, it's trying to open it as the mail user, and above shows that it's
vmail. So make the socket accessible to vmail:
service auth {
unix_listener auth-userdb {
user = vmail
}
}
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
2010/9/20 LEVAI Daniel : > Dovecot tries to open that file with the "default_internal_user" user, > which is configurable in dovecot.conf. See > # doveconf -h default_internal_user > what is the current user for you. Default user is dovecot like it was with 1.2, but there is a new user dovenull # doveconf -h default_internal_user dovecot Thanks
Re: [Dovecot] permissions on auth-userdb Error: userdb lookup
On Mon, Sep 20, 2010 at 06:34:01 +0200, Dieter Knopf wrote: > Hello, > > first sorry for this question. I already found many threads about this > problem including a thread in this list from August 2010, but nothing > helped :( > > Here is the error: > 2010-09-20 06:28:04 lda: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/ > 2010-09-20 06:28:04 lda: Debug: Module loaded: > /usr/lib/dovecot/modules//lib90_sieve_plugin.so > 2010-09-20 06:28:04 lda: Error: userdb lookup: > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > /var/run/dovecot/auth-userdb, euid is not dir owner) > 2010-09-20 06:28:04 lda: Fatal: Internal error occurred. Refer to > server log for more information. > > srw--- 1 rootroot 0 20. Sep 06:21 auth-userdb Dovecot tries to open that file with the "default_internal_user" user, which is configurable in dovecot.conf. See # doveconf -h default_internal_user what is the current user for you. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
[Dovecot] permissions on auth-userdb Error: userdb lookup
Hello,
first sorry for this question. I already found many threads about this
problem including a thread in this list from August 2010, but nothing
helped :(
Here is the error:
2010-09-20 06:28:04 lda: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/
2010-09-20 06:28:04 lda: Debug: Module loaded:
/usr/lib/dovecot/modules//lib90_sieve_plugin.so
2010-09-20 06:28:04 lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=5000(vmail) egid=5000(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
2010-09-20 06:28:04 lda: Fatal: Internal error occurred. Refer to
server log for more information.
srw--- 1 rootroot 0 20. Sep 06:21 auth-userdb
It worked fine with Dovecot 1.x, i use a static userdb.
vmail(5000):vmail(5000) is my standard user/group for /home/vmail/
Here is the config:
=
listen = 92.198.xx.xx
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_debug = yes
mail_gid = 5000
mail_location = maildir:/home/vmail/%d/%n:INDEX=/home/vmail-indexes/%d/%n
mail_privileged_group = vmail
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
namespace {
inbox = yes
location =
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
sieve = /home/vmail-sieve/%u/main.sieve
sieve_before = /home/vmail/global/before.sieve
sieve_dir = /home/vmail-sieve/%u/
sieve_global_dir = /home/vmail-sieve/global/
}
protocols = imap
service auth {
unix_listener auth-master {
mode = 0600
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = 92.198.xx.xx
}
}
service pop3-login {
inet_listener pop3s {
address = 92.198.xx.xx
}
}
ssl_cert =
Re: [Dovecot] permissions on auth-userdb
On Tue, 2010-08-31 at 02:13 +0200, spamv...@googlemail.com wrote:
> Hi..
>
> im still trying to upgrade to 2.0.
> Im getting:
> dovecot: lda: Error: userdb lookup:
> connect(/var/run/dovecot/auth-userdb) failed: Permission denied
> (euid=1(vmail) egid=1(vmail) missing +r perm:
> /var/run/dovecot/auth-userdb, euid is not dir owner)
You're calling dovecot-lda as the user vmail:vmail, probably from your
MTA. Probably it's not being called by anyone else.
> service auth {
> # auth_socket_path points to this userdb socket by default. It's typically
> # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
> # permissions make it readable only by root, but you may need to relax these
> # permissions. Users that have access to this socket are able to get a list
> # of all usernames and get results of everyone's userdb lookups.
> unix_listener auth-userdb {
> mode = 0600
> #user = vmail
> #group = vmail
Comment out the user/group lines above and that should work fine.
Re: [Dovecot] permissions on auth-userdb
The Question is if that Process needs to be root or not.
And as long as i dont know whos talking to that process and why it
runs as default as root i wouldnt touch it.
It would make sense if its running as root when userdb is pam to
access the files or its running as root because noone should have root
rights and so noone can read the whole userdb.
In that last case it would be really bad to switch the user from root
to vmail :)
In my case all mails are stored with user vmail, maybe user vmail
needs to be able to read the hole db
I dont know :) If someone know, let me know
Hans
2010/8/31 Egbert Jan van den Bussche :
> Op 31-8-2010 2:13, spamv...@googlemail.com schreef:
>>
>> Hi..
>>
>> im still trying to upgrade to 2.0.
>> Im getting:
>> dovecot: lda: Error: userdb lookup:
>> connect(/var/run/dovecot/auth-userdb) failed: Permission denied
>> (euid=1(vmail) egid=1(vmail) missing +r perm:
>> /var/run/dovecot/auth-userdb, euid is not dir owner)
>>
>> the error is correct caus its owned by root. My Questions is who should
>> own it ?
>> Im not sure how that works, what process/user calls the auth-userdb ?
>> The auth-userdb returns the args generated in master.conf, right ?
>>
>> i think comment out the user and group setting in master.conf will fix
>> it but im not sure if that is the securest way.
>>
>> the mails come from postfix via dovecot-lda
>>
>> Hans
>>
>> master.conf
>> service auth {
>> # auth_socket_path points to this userdb socket by default. It's
>> typically
>> # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
>> # permissions make it readable only by root, but you may need to relax
>> these
>> # permissions. Users that have access to this socket are able to get a
>> list
>> # of all usernames and get results of everyone's userdb lookups.
>> unix_listener auth-userdb {
>> mode = 0600
>> #user = vmail
>> #group = vmail
>> }
>>
>> auth-ldap.conf.ext
>> passdb {
>> driver = ldap
>> args = /etc/dovecot/dovecot-ldap.conf.ext
>> }
>> userdb {
>> driver = static
>> args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/
>> mail=/home/MAILBOXES/%u/mail
>> }
>
> Had more or less the same fight with 1.2.9. I had to change auth user to the
> group 'shadow' (if /etc/shadow is owned by group shadow). Or run auth under
> the default user 'root'.
>
> In your case it has to do with the passdb and/or userdb you use. In my case
> I had the problems with local users via pam.
>
> HTH
> Egbert Jan
>
Re: [Dovecot] permissions on auth-userdb
Op 31-8-2010 2:13, spamv...@googlemail.com schreef:
Hi..
im still trying to upgrade to 2.0.
Im getting:
dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=1(vmail) egid=1(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
the error is correct caus its owned by root. My Questions is who should own it ?
Im not sure how that works, what process/user calls the auth-userdb ?
The auth-userdb returns the args generated in master.conf, right ?
i think comment out the user and group setting in master.conf will fix
it but im not sure if that is the securest way.
the mails come from postfix via dovecot-lda
Hans
master.conf
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener auth-userdb {
mode = 0600
#user = vmail
#group = vmail
}
auth-ldap.conf.ext
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/
mail=/home/MAILBOXES/%u/mail
}
Had more or less the same fight with 1.2.9. I had to change auth user to
the group 'shadow' (if /etc/shadow is owned by group shadow). Or run
auth under the default user 'root'.
In your case it has to do with the passdb and/or userdb you use. In my
case I had the problems with local users via pam.
HTH
Egbert Jan
[Dovecot] permissions on auth-userdb
Hi..
im still trying to upgrade to 2.0.
Im getting:
dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=1(vmail) egid=1(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
the error is correct caus its owned by root. My Questions is who should own it ?
Im not sure how that works, what process/user calls the auth-userdb ?
The auth-userdb returns the args generated in master.conf, right ?
i think comment out the user and group setting in master.conf will fix
it but im not sure if that is the securest way.
the mails come from postfix via dovecot-lda
Hans
master.conf
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener auth-userdb {
mode = 0600
#user = vmail
#group = vmail
}
auth-ldap.conf.ext
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/
mail=/home/MAILBOXES/%u/mail
}
