Re: [Dovecot] /var/run/dovecot mode 750 too tight

2009-11-29 Thread Frank Cusack 

On November 29, 2009 9:31:22 PM -0500 Timo Sirainen  wrote:

On Nov 29, 2009, at 1:24 PM, Frank Cusack wrote:


dovecot-1.2.8 creates /var/run/dovecot mode 750.


No, it creates it with mode 0755. Did you compile from sources? Are you
sure it's 0750 if you rm -rf the directory and start "dovecot" binary
directly (instead of e.g. some init script creating it)?


You're right, thank you.  I am using 1.2.8 from source but my init
script still has the directory creation itself as well ... which sets
the wrong mode.

-frank

Re: [Dovecot] /var/run/dovecot mode 750 too tight

2009-11-29 Thread Timo Sirainen 
On Nov 29, 2009, at 1:24 PM, Frank Cusack wrote:

> dovecot-1.2.8 creates /var/run/dovecot mode 750.

No, it creates it with mode 0755. Did you compile from sources? Are you sure 
it's 0750 if you rm -rf the directory and start "dovecot" binary directly 
(instead of e.g. some init script creating it)?

Re: [Dovecot] /var/run/dovecot mode 750 too tight

2009-11-29 Thread Frank Cusack 
On November 29, 2009 8:40:13 PM +0100 Thomas Leuxner  
wrote:


Am 29.11.2009 um 20:31 schrieb Frank Cusack:

dovecot-1.2.8 creates /var/run/dovecot mode 750.

I run postfix+dovecot in a virtual user setup.  Postfix calls deliver
as user vmail group vmail.

Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error]
deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master)
failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x
perm: /var/run/dovecot)


So it can't access that directory as it states. It would create that
structure upon start to my knowledge. Mine is

[20:38] root spectre:/# l -d /var/run/dovecot
drwxr-xr-x 3 root root 4096 2009-11-25 13:20 /var/run/dovecot

What is yours?


Mine is, as I noted in the very first line of my email, mode 750.
I normally would have removed all of the quoted lines above but
I left it so you can see back to the first line.

You are probably missing the information that this is new in
dovecot-1.2.8.  Prior to that, dovecot created /var/run/dovecot
mode 777, which was a security hole.

I wasn't looking for a fix, I was reporting a problem.  It only affects
systems where /var/run is on tmpfs and so dovecot has to create
/var/run/dovecot the first time it runs after a reboot.

Thanks for the look, though.

-frank

Re: [Dovecot] /var/run/dovecot mode 750 too tight

2009-11-29 Thread Thomas Leuxner 

Am 29.11.2009 um 20:31 schrieb Frank Cusack:
>>> dovecot-1.2.8 creates /var/run/dovecot mode 750.
>>> 
>>> I run postfix+dovecot in a virtual user setup.  Postfix calls deliver
>>> as user vmail group vmail.
>>> 
>>> Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error]
>>> deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master)
>>> failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x
>>> perm: /var/run/dovecot)

So it can't access that directory as it states. It would create that structure 
upon start to my knowledge. Mine is

[20:38] root spectre:/# l -d /var/run/dovecot
drwxr-xr-x 3 root root 4096 2009-11-25 13:20 /var/run/dovecot

What is yours?

Regards
Thomas

Re: [Dovecot] /var/run/dovecot mode 750 too tight

2009-11-29 Thread Frank Cusack 
On November 29, 2009 8:11:28 PM +0100 Thomas Leuxner  
wrote:


Am 29.11.2009 um 19:24 schrieb Frank Cusack:


dovecot-1.2.8 creates /var/run/dovecot mode 750.

I run postfix+dovecot in a virtual user setup.  Postfix calls deliver
as user vmail group vmail.

Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error]
deliver(frank): userdb lookup: connect(/var/run/dovecot/auth-master)
failed: Permission denied (euid=500(vmail) egid=500(vmail) missing +x
perm: /var/run/dovecot)

I will say this: dovecot's error reporting in general is head and
shoulders above the norm.  Makes tracking down problems sooo much easier.

Something else I noticed, should the dict-server socket really be mode
777? At least a-x I would think.

-frank


Probably easier to tell if you would post your setup, but I guess this
fixes it:

  socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user= vmail
group = vmail
}


No, as that only affects the socket itself.  If you look at the error
message and my email you see that the problem is in the parent directory.

I do have user=vmail on the socket.  I didn't set group=vmail but with
mode 0600 that doesn't matter.

-frank

Re: [Dovecot] /var/run/dovecot mode 750 too tight

2009-11-29 Thread Thomas Leuxner 

Am 29.11.2009 um 19:24 schrieb Frank Cusack:

> dovecot-1.2.8 creates /var/run/dovecot mode 750.
> 
> I run postfix+dovecot in a virtual user setup.  Postfix calls deliver
> as user vmail group vmail.
> 
> Nov 29 12:53:04 imap.invalid dovecot: [ID 583609 mail.error] deliver(frank): 
> userdb lookup: connect(/var/run/dovecot/auth-master) failed: Permission 
> denied (euid=500(vmail) egid=500(vmail) missing +x perm: /var/run/dovecot)
> 
> I will say this: dovecot's error reporting in general is head and shoulders
> above the norm.  Makes tracking down problems sooo much easier.
> 
> Something else I noticed, should the dict-server socket really be mode 777?
> At least a-x I would think.
> 
> -frank

Probably easier to tell if you would post your setup, but I guess this fixes it:

  socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user= vmail
group = vmail
}

Regards
Thomas