Re: [Dovecot] sievec - manual compile of global sieve scripts?
On 8/1/2011 8:43 PM, Stephan Bosch wrote: On 8/1/2011 10:11 PM, Thomas Harold wrote: How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts. Sorry, I may not have been clear before, I am trying to run sievec as root. So the error is confusing to me because it looks like sievec is trying to drop privs and do the compile as the vmail user. I haven't done anything special to the sievec file (like making it run as vmail or always run as root, SELinux is in permissive mode until I gather up enough entries in the audit log to make an audit2allow run useful). # ls -la /usr/local/bin -rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec -rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump -rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test As a workaround, I may temporarily alter my Makefile to set the directory writable by the vmail group, compile the scripts, then set the directory read-only again. The files end up owned as vmail:vmail when I do that, even though I execute the sievec command as root. # /usr/local/bin/sievec sortspam.sieve sortspam.svbin -rw-rw-r-- 1 root root 477 Aug 1 15:33 sortspam.sieve -rw-rw-r-- 1 vmail vmail 321 Aug 2 08:26 sortspam.svbin ... My current Makefile. # cat Makefile # http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#scriptcompile SIEVEC=/usr/local/bin/sievec SRCS=$(wildcard *.sieve) OBJS=$(SRCS:.sieve=.svbin) all: $(OBJS) %.svbin : %.sieve $(SIEVEC) $? $@
Re: [Dovecot] sievec - manual compile of global sieve scripts?
On 8/2/2011 2:32 PM, Thomas Harold wrote: On 8/1/2011 8:43 PM, Stephan Bosch wrote: On 8/1/2011 10:11 PM, Thomas Harold wrote: How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts. Sorry, I may not have been clear before, I am trying to run sievec as root. So the error is confusing to me because it looks like sievec is trying to drop privs and do the compile as the vmail user. I haven't done anything special to the sievec file (like making it run as vmail or always run as root, SELinux is in permissive mode until I gather up enough entries in the audit log to make an audit2allow run useful). # ls -la /usr/local/bin -rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec -rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump -rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using and what is your config (show dovecot -n output) ? I suspect there may be a bug. Regards, Stephan.
Re: [Dovecot] sievec - manual compile of global sieve scripts?
Mine has always behaved like this. It looks up the root user in the auth database from the dovecot config, and attemps to change to that user, and in this type of case that would be vmail. Then it attempts to check the mail_home and kind of fails, unless you give vmail permission to that path that would be created using the root user. Quoting Thomas Harold thomas-li...@nybeta.com: On 8/2/2011 8:45 AM, Stephan Bosch wrote: What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using and what is your config (show dovecot -n output) ? I suspect there may be a bug. dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source this week. The dovecot package itself comes from ATRPMs and is 2.0.13. Name : dovecot Arch : x86_64 Epoch : 1 Version: 2.0.13 Release: 1_129.el5 Size : 5.1 M Repo : installed Summary: Dovecot Secure imap server URL: http://www.dovecot.org/ License: MIT Name : dovecot-devel Arch : x86_64 Epoch : 1 Version: 2.0.13 Release: 1_129.el5 Size : 667 k Repo : installed Summary: Libraries and headers for Dovecot URL: http://www.dovecot.org/ License: MIT Output of dovecot -n # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server release 5.7 (Tikanga) auth_verbose_passwords = sha1 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1, 1.2.3.4 mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:~/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after/ sieve_before = /etc/dovecot/sieve/before/ sieve_dir = ~/sieve sieve_global_dir = /etc/dovecot/sieve/globalinclude/ } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { process_min_avail = 5 } service pop3-login { inet_listener pop3 { address = 1.2.3.4 } inet_listener pop3s { address = 1.2.3.4 } } ssl = required ssl_cert = /etc/pki/tls/private/certs/example_com.crt ssl_key = /etc/pki/tls/private/example_com.key protocol lda { log_path = /var/log/dovecot/dovecot-lda mail_plugins = sieve }
[Dovecot] sievec - manual compile of global sieve scripts?
How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) # ls -la /etc/dovecot/sieve/before/ drwxrwxr-x 2 root root 4096 Aug 1 15:56 . drwxr-xr-x 5 root root 4096 Aug 1 13:23 .. -rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve Or do I just make the /etc/dovecot/sieve/ tree owned and writable by the vmail:vmail user? (Which worked, but seems like a bad idea.) Output of dovecot -n # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server release 5.7 (Tikanga) auth_verbose_passwords = sha1 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1, 1.2.3.4 mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:~/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after/ sieve_before = /etc/dovecot/sieve/before/ sieve_dir = ~/sieve sieve_global_dir = /etc/dovecot/sieve/globalinclude/ } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { process_min_avail = 5 } service pop3-login { inet_listener pop3 { address = 1.2.3.4 } inet_listener pop3s { address = 1.2.3.4 } } ssl = required ssl_cert = /etc/pki/tls/private/certs/example_com.crt ssl_key = /etc/pki/tls/private/example_com.key protocol lda { log_path = /var/log/dovecot/dovecot-lda mail_plugins = sieve }
Re: [Dovecot] sievec - manual compile of global sieve scripts?
On 8/1/2011 10:11 PM, Thomas Harold wrote: How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts. # ls -la /etc/dovecot/sieve/before/ drwxrwxr-x 2 root root 4096 Aug 1 15:56 . drwxr-xr-x 5 root root 4096 Aug 1 13:23 .. -rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve Or do I just make the /etc/dovecot/sieve/ tree owned and writable by the vmail:vmail user? (Which worked, but seems like a bad idea.) It is a bad idea. Vmail would only need read access. Regards, Stephan