In running the various 1.0.n versions of Dovecot's LDA with the instructions in the wiki for using LDA with Postfix [on OS X 10.4] things went well using the instructions as-is (no setuid problems). This changed in moving over to the 1.1 beta. The LDA refused to work failing with the error "setgroups() failed: Operation not permitted" as I mentioned in a previous message. After reading the exchange between Bill Cole and Rich Winkel and following up on this, it seems that the new 1.1b wants you to give the Deliver app specific setuid permission via: cd /path/to/where/dovecot's/deliver/is sudo chmod u+s deliver Then things worked as before. There was no need to give the group 's' permission nor to change ownership of deliver from the default root:staff or root:wheel or whomever... . The error message seems odd though. I am not sure if, overall, this means there is a problem in Dovecot 1.0.n or that things are being tightened up in 1.1b. Thanks Bill and Rich for the tip! Jerry Yeager -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2447 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20070926/bfc59334/attachment-0002.bin>
We're runnng dovecot 1.1beta1 and /.../dovecot/deliver is owned by root and has only rwxr-xr-x, No problems so far. /L Jerry Yeager wrote:> In running the various 1.0.n versions of Dovecot's LDA with the > instructions in the wiki for using LDA with Postfix [on OS X 10.4] > things went well using the instructions as-is (no setuid problems). > > This changed in moving over to the 1.1 beta. The LDA refused to work > failing with the error "setgroups() failed: Operation not permitted" as > I mentioned in a previous message. After reading the exchange between > Bill Cole and Rich Winkel and following up on this, it seems that the > new 1.1b wants you to give the Deliver app specific setuid permission via: > > cd /path/to/where/dovecot's/deliver/is > > sudo chmod u+s deliver > > Then things worked as before. There was no need to give the group 's' > permission nor to change ownership of deliver from the default > root:staff or root:wheel or whomever... . The error message seems odd > though. > > > I am not sure if, overall, this means there is a problem in Dovecot > 1.0.n or that things are being tightened up in 1.1b. > > Thanks Bill and Rich for the tip! > > > Jerry Yeager
At 3:58 PM -0400 9/26/07, Jerry Yeager imposed structure on a stream of electrons, yielding:>In running the various 1.0.n versions of Dovecot's LDA with the >instructions in the wiki for using LDA with Postfix [on OS X 10.4] >things went well using the instructions as-is (no setuid problems). > >This changed in moving over to the 1.1 beta. The LDA refused to work >failing with the error "setgroups() failed: Operation not permitted" >as I mentioned in a previous message.That looks like a bug. A program that calls setgroups() must be running as root. It seems to me that a code path leading to such a call should probably be able to identify that issue before the call and provide a better failure message than translating EPERM into its standard meaning.... The interesting question would be: why does deliver want to call setgroups() at all?>After reading the exchange between Bill Cole and Rich Winkel and >following up on this, it seems that the new 1.1b wants you to give >the Deliver app specific setuid permission via: > >cd /path/to/where/dovecot's/deliver/is > >sudo chmod u+s deliver > >Then things worked as before. There was no need to give the group >'s' permission nor to change ownership of deliver from the default >root:staff or root:wheel or whomever... . The error message seems >odd though. > > >I am not sure if, overall, this means there is a problem in Dovecot >1.0.n or that things are being tightened up in 1.1b. > >Thanks Bill and Rich for the tip!I'd love to take credit, but I thought that was about the LDA with Sendmail, which is rather different, and Rich was running 1.0.3... In any event, I won't go so far as to say that running deliver as setuid root is actively dangerous, but it feels wrong to me and I wouldn't do it. That may be from too much exposure to bizarre attacks through delivery agents in the Dark Ages. That it works without being setuid on Linux is a touch odd. -- Bill Cole bill at scconsult.com
On Wed, 2007-09-26 at 15:58 -0400, Jerry Yeager wrote:> In running the various 1.0.n versions of Dovecot's LDA with the > instructions in the wiki for using LDA with Postfix [on OS X 10.4] > things went well using the instructions as-is (no setuid problems). > > This changed in moving over to the 1.1 beta. The LDA refused to work > failing with the error "setgroups() failed: Operation not permitted"If you're using only a single UID and GID there's no need to make deliver setuid root. But I guess I've changed the code so it works a bit differently now. At least one thing that changed is that if mail_extra_groups is set, deliver tries to set it. Do you have it set? I'll change the error message so it's clearer why this happens. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070930/7d7129c2/attachment-0002.bin>