Re: [SOLVED] Permissions for dovecot logging
On 30 December 2022 22:25:09 CET, James Moe wrote: >On 2022-12-27 16:19, James Moe wrote: > >> I changed logging to use a path rather than syslog. Doing so makes it >> easier >> to work with fail2ban. >> Dovecot fails to start with the error: >> Can't open log file /data01/var/log/dovecot.log: Permission denied >> > Yes, it was apparmor. It has been enabled for a couple of months. Dovecot is >the first app that I've added that has a apparmor profile. After adding the >necessary entry to the profile, logging proceeded as expected. > >In I added: > owner /data01/var/log/dovecot/* a, > > Hi, When an application is denied access by AppArmor, you can see the logs in syslog. Anyway, if that helps, have s look here: https://github.com/progmaticltd/homebox/tree/main/roles/dovecot/templates/apparmor.d André.
Re: [SOLVED] Permissions for dovecot logging
On 2022-12-27 16:19, James Moe wrote: > I changed logging to use a path rather than syslog. Doing so makes it easier > to work with fail2ban. > Dovecot fails to start with the error: > Can't open log file /data01/var/log/dovecot.log: Permission denied > Yes, it was apparmor. It has been enabled for a couple of months. Dovecot is the first app that I've added that has a apparmor profile. After adding the necessary entry to the profile, logging proceeded as expected. In I added: owner /data01/var/log/dovecot/* a, -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.
Re: Permissions for dovecot logging
On Thursday, December 29, 2022 10:17:08 PM AKST Aki Tuomi wrote: > > On 30/12/2022 05:25 EET James Moe wrote: > > Permission is still denied. > > Where do I find information about "status=80/n/a"? > > > > I did not include all two of the syslog entries in the previous message: > > 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file > > /data01/var/log/dovecot.log: Permission denied > > 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main > > process exited, code=exited, status=80/n/a > > Maybe you have selinux or apparmor involved? On rhel based systems, selinux > logs into /var/log/audit/audit.log, dmesg -T is another good thing to > check. > Status=80 I assume is the exit code dovecot threw when it couldn't open the log file. Whatever "int main()" is programmed to return. On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote: > Dovecot fails to start with the error: > Can't open log file /data01/var/log/dovecot.log: Permission denied That error message is typical of a simple unix permission issue, nothing to do with selinux etc. On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote: > Permissions: > drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/ > drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/ > drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/ > drwxrwxr-x 1 dovecotusers 22 Dec 27 15:47 /data01/var/log/dovecot/ > > "dovecot" is a member of "users". > > What "permission" am I missing? If the process isn't running with an effective group id of "users", then it cannot access that directory simply by virtue of being a member of that group. The main program has to call setegid() with the proper group id before attempting to access those files. On Tuesday, December 27, 2022 10:27:31 PM AKST Aki Tuomi wrote: > If you want to run log as `dovecot`, you can do so with > > service log { > user = dovecot > } Maybe try something like this: service log { user = dovecot group = users } Otherwise you might not have the process running with the right effective group id to access the log file location by unix group permissions. -- https://justina.abeja.colmena.biz/
Re: Permissions for dovecot logging
> On 30/12/2022 05:25 EET James Moe wrote: > > > On 2022-12-28 00:27, Aki Tuomi wrote: > > > The `log` service runs by default as root, not as dovecot. > > > Then I do not understand why there is a permissions problem at all. It is > root! > > > If data01 is a NFS mount, then root may become squashed. > > > Not an NFS mount. It is local. > > > If you want to run log as `dovecot`, you can do so with > > > > service log { > > user = dovecot > > } > > > Permission is still denied. > Where do I find information about "status=80/n/a"? > > I did not include all two of the syslog entries in the previous message: > 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file > /data01/var/log/dovecot.log: Permission denied > 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main process > exited, code=exited, status=80/n/a > > > -- > James Moe > moe dot james at sohnen-moe dot com > 520.743.3936 > Think. Maybe you have selinux or apparmor involved? On rhel based systems, selinux logs into /var/log/audit/audit.log, dmesg -T is another good thing to check. Aki
Re: Permissions for dovecot logging
On 2022-12-28 00:27, Aki Tuomi wrote: > The `log` service runs by default as root, not as dovecot. > Then I do not understand why there is a permissions problem at all. It is root! > If data01 is a NFS mount, then root may become squashed. > Not an NFS mount. It is local. > If you want to run log as `dovecot`, you can do so with > > service log { > user = dovecot > } > Permission is still denied. Where do I find information about "status=80/n/a"? I did not include all two of the syslog entries in the previous message: 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file /data01/var/log/dovecot.log: Permission denied 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main process exited, code=exited, status=80/n/a -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.
Re: Permissions for dovecot logging
> On 28/12/2022 01:19 EET James Moe wrote: > > > dovecot 2.3.15 > opensuse LEAP 15.4 > > I changed logging to use a path rather than syslog. Doing so makes it easier > to work with fail2ban. > Dovecot fails to start with the error: > Can't open log file /data01/var/log/dovecot.log: Permission denied > > Permissions: > drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/ > drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/ > drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/ > drwxrwxr-x 1 dovecotusers 22 Dec 27 15:47 /data01/var/log/dovecot/ > > "dovecot" is a member of "users". > > What "permission" am I missing? > > Note: A long time ago I had a problem with programs consuming all available > space on the system disk with log or backup files. I have since gotten in the > habit of putting log files on a non-system disk. > > -- > James Moe > moe dot james at sohnen-moe dot com > 520.743.3936 > Think. Hi! Dovecot drops all extra group memberships from processes when spawning them unless told otherwise. The `log` service runs by default as root, not as dovecot. If data01 is a NFS mount, then root may become squashed. If you want to run log as `dovecot`, you can do so with service log { user = dovecot } Aki
Permissions for dovecot logging
dovecot 2.3.15 opensuse LEAP 15.4 I changed logging to use a path rather than syslog. Doing so makes it easier to work with fail2ban. Dovecot fails to start with the error: Can't open log file /data01/var/log/dovecot.log: Permission denied Permissions: drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/ drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/ drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/ drwxrwxr-x 1 dovecotusers 22 Dec 27 15:47 /data01/var/log/dovecot/ "dovecot" is a member of "users". What "permission" am I missing? Note: A long time ago I had a problem with programs consuming all available space on the system disk with log or backup files. I have since gotten in the habit of putting log files on a non-system disk. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.