Re: [Dovecot] sievec - manual compile of global sieve scripts?
On 8/1/2011 8:43 PM, Stephan Bosch wrote: On 8/1/2011 10:11 PM, Thomas Harold wrote: How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts. Sorry, I may not have been clear before, I am trying to run sievec as root. So the error is confusing to me because it looks like sievec is trying to drop privs and do the compile as the vmail user. I haven't done anything special to the sievec file (like making it run as vmail or always run as root, SELinux is in permissive mode until I gather up enough entries in the audit log to make an audit2allow run useful). # ls -la /usr/local/bin -rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec -rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump -rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test As a workaround, I may temporarily alter my Makefile to set the directory writable by the vmail group, compile the scripts, then set the directory read-only again. The files end up owned as vmail:vmail when I do that, even though I execute the sievec command as root. # /usr/local/bin/sievec sortspam.sieve sortspam.svbin -rw-rw-r-- 1 root root 477 Aug 1 15:33 sortspam.sieve -rw-rw-r-- 1 vmail vmail 321 Aug 2 08:26 sortspam.svbin ... My current Makefile. # cat Makefile # http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#scriptcompile SIEVEC=/usr/local/bin/sievec SRCS=$(wildcard *.sieve) OBJS=$(SRCS:.sieve=.svbin) all: $(OBJS) %.svbin : %.sieve $(SIEVEC) $? $@
Re: [Dovecot] sievec - manual compile of global sieve scripts?
On 8/2/2011 2:32 PM, Thomas Harold wrote: On 8/1/2011 8:43 PM, Stephan Bosch wrote: On 8/1/2011 10:11 PM, Thomas Harold wrote: How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts. Sorry, I may not have been clear before, I am trying to run sievec as root. So the error is confusing to me because it looks like sievec is trying to drop privs and do the compile as the vmail user. I haven't done anything special to the sievec file (like making it run as vmail or always run as root, SELinux is in permissive mode until I gather up enough entries in the audit log to make an audit2allow run useful). # ls -la /usr/local/bin -rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec -rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump -rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using and what is your config (show dovecot -n output) ? I suspect there may be a bug. Regards, Stephan.
Re: [Dovecot] sievec - manual compile of global sieve scripts?
Mine has always behaved like this.
It looks up the root user in the auth database from the dovecot
config, and attemps to change to that user, and in this type of case
that would be vmail.
Then it attempts to check the mail_home and kind of fails, unless you
give vmail permission to that path that would be created using the
root user.
Quoting Thomas Harold thomas-li...@nybeta.com:
On 8/2/2011 8:45 AM, Stephan Bosch wrote:
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?
I suspect there may be a bug.
dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source
this week. The dovecot package itself comes from ATRPMs and is
2.0.13.
Name : dovecot
Arch : x86_64
Epoch : 1
Version: 2.0.13
Release: 1_129.el5
Size : 5.1 M
Repo : installed
Summary: Dovecot Secure imap server
URL: http://www.dovecot.org/
License: MIT
Name : dovecot-devel
Arch : x86_64
Epoch : 1
Version: 2.0.13
Release: 1_129.el5
Size : 667 k
Repo : installed
Summary: Libraries and headers for Dovecot
URL: http://www.dovecot.org/
License: MIT
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server
release 5.7 (Tikanga)
auth_verbose_passwords = sha1
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1, 1.2.3.4
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after/
sieve_before = /etc/dovecot/sieve/before/
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/globalinclude/
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service imap-login {
process_min_avail = 5
}
service pop3-login {
inet_listener pop3 {
address = 1.2.3.4
}
inet_listener pop3s {
address = 1.2.3.4
}
}
ssl = required
ssl_cert = /etc/pki/tls/private/certs/example_com.crt
ssl_key = /etc/pki/tls/private/example_com.key
protocol lda {
log_path = /var/log/dovecot/dovecot-lda
mail_plugins = sieve
}
[Dovecot] sievec - manual compile of global sieve scripts?
How do you compile global scripts using the sievec command without
making the script directory owned (and group writable) by the vmail user?
http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
# cd /etc/dovecot/sieve/before/
# (edit some script like spam.sieve that runs for everyone)
# /usr/local/bin/sievec spam.sieve spam.svbin
sievec(root): Error: sieve: binary save: failed to create temporary
file: open(spam.svbin.hostname.26921.) in directory
/etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail)
egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not
dir owner)
# ls -la /etc/dovecot/sieve/before/
drwxrwxr-x 2 root root 4096 Aug 1 15:56 .
drwxr-xr-x 5 root root 4096 Aug 1 13:23 ..
-rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve
Or do I just make the /etc/dovecot/sieve/ tree owned and writable by the
vmail:vmail user? (Which worked, but seems like a bad idea.)
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server
release 5.7 (Tikanga)
auth_verbose_passwords = sha1
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1, 1.2.3.4
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after/
sieve_before = /etc/dovecot/sieve/before/
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/globalinclude/
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service imap-login {
process_min_avail = 5
}
service pop3-login {
inet_listener pop3 {
address = 1.2.3.4
}
inet_listener pop3s {
address = 1.2.3.4
}
}
ssl = required
ssl_cert = /etc/pki/tls/private/certs/example_com.crt
ssl_key = /etc/pki/tls/private/example_com.key
protocol lda {
log_path = /var/log/dovecot/dovecot-lda
mail_plugins = sieve
}
Re: [Dovecot] sievec - manual compile of global sieve scripts?
On 8/1/2011 10:11 PM, Thomas Harold wrote: How do you compile global scripts using the sievec command without making the script directory owned (and group writable) by the vmail user? http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage # cd /etc/dovecot/sieve/before/ # (edit some script like spam.sieve that runs for everyone) # /usr/local/bin/sievec spam.sieve spam.svbin sievec(root): Error: sieve: binary save: failed to create temporary file: open(spam.svbin.hostname.26921.) in directory /etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is not dir owner) Why are you executing sievec as vmail in the first place? You should be able to run it as root or any other user you use to manage global sieve scripts. # ls -la /etc/dovecot/sieve/before/ drwxrwxr-x 2 root root 4096 Aug 1 15:56 . drwxr-xr-x 5 root root 4096 Aug 1 13:23 .. -rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve Or do I just make the /etc/dovecot/sieve/ tree owned and writable by the vmail:vmail user? (Which worked, but seems like a bad idea.) It is a bad idea. Vmail would only need read access. Regards, Stephan
