> On 30 Jul 2019, at 22.53, Tom Diehl via dovecot <dovecot at dovecot.org> wrote: > > On Tue, 30 Jul 2019, Reio Remma via dovecot wrote: > >> On 30.07.2019 20:07, Tom Diehl via dovecot wrote: >>> >>> Does anyone have an Idea how to fix this? >> >> Perhaps see if there are any denials in SELinux audit log: > > Selinux is in permissive. > > If I do: > (vmail1 pts9) # ll /proc/self/io -r-------- 1 root root 0 Jul 30 15:27 /proc/self/io > (vmail1 pts9) # > > It is obvious to me why I get permission denied. The problem is you > cannot chmod on /proc. I suspect I have something mis-configured but > the question is what?service lmtp { executable = lmtp -L inet_listener lmtp { address = 127.0.0.1 port = 24 } process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } please remove user = vmail from here or change it to root. for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that. Sami
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:> service lmtp { > user = vmail > } > > please remove user = vmail from here or change it to root. > > for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that.Hello Sami, I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. Could you proof that statement somehow? Andreas
me at tdiehl.org
2019-Jul-31 22:51 UTC
Solved Re: doveadm: Error: open(/proc/self/io) failed
Hi Sami, Thanks, for taking the time to look at this. For the archives, the resolution is in line below. On Wed, 31 Jul 2019, Sami Ketola wrote:> > >> On 30 Jul 2019, at 22.53, Tom Diehl via dovecot <dovecot at dovecot.org> wrote: >> >> On Tue, 30 Jul 2019, Reio Remma via dovecot wrote: >> >>> On 30.07.2019 20:07, Tom Diehl via dovecot wrote: >>>> >>>> Does anyone have an Idea how to fix this? >>> >>> Perhaps see if there are any denials in SELinux audit log: >> >> Selinux is in permissive. >> >> If I do: >> (vmail1 pts9) # ll /proc/self/io -r-------- 1 root root 0 Jul 30 15:27 /proc/self/io >> (vmail1 pts9) # >> >> It is obvious to me why I get permission denied. The problem is you >> cannot chmod on /proc. I suspect I have something mis-configured but >> the question is what? > > service lmtp { > executable = lmtp -L > inet_listener lmtp { > address = 127.0.0.1 > port = 24 > } > process_min_avail = 5 > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > user = vmail > } > > please remove user = vmail from here or change it to root.Actually the above works OK but you gave me the clue I needed to find the actual problem. I looked at the log message again and realized that it says doveadm is having problems. Something like this: Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: Permission denied So I took your advice and found that I had the following in my dsync config: service doveadm { inet_listener { port = 2525 } user = vmail } Removing the user = vmail above fixed the problem. Thanks again. Regards, -- Tom me at tdiehl.org
On 31 Jul 2019, at 20.45, A. Schulze via dovecot <dovecot at dovecot.org> wrote:> > > > Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot: >> service lmtp { >> user = vmail >> } >> >> please remove user = vmail from here or change it to root. >> >> for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that. > > Hello Sami, > > I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. > Could you proof that statement somehow?Alternative is: service lmtp { user = vmail drop_priv_before_exec = yes } I'm not sure if you run into other problems with that.
> On 1 Aug 2019, at 1.51, Tom Diehl via dovecot <dovecot at dovecot.org> wrote: > > Actually the above works OK but you gave me the clue I needed to > find the actual problem. I looked at the log message again and > realized that it says doveadm is having problems. > Something like this: > Jul 22 12:52:04 vmail2 dovecot: doveadm: Error: open(/proc/self/io) failed: Permission denied > > So I took your advice and found that I had the following in my dsync > config: > service doveadm { > inet_listener { > port = 2525 > } > user = vmail > } > > Removing the user = vmail above fixed the problem.Yes, I forgot to mention that the same thing applies to doveadm too. Sami