Stewart Dean
2009-Nov-05 14:24 UTC
[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1
After V1.2 had been up for a while, I started seeing tons of syslog error messages like this: Nov 5 09:11:52 mercury mail:err|error dovecot: IMAP(sdean): stat(/var/dcindx/sdean/.imap/DadEstate) failed: Permission denied (euid=202(sdean) egid=200(hcrc) missing +x perm: /var/dcindx) Ownernship and Permissions are: The index filesystem 2726 root at mercury:/var/dcindx ## ls -ald drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ./ A user's directory is: 2729 root at mercury:/var/dcindx ## ls -al sdean total 400 drwx--S--- 7 sdean sys 256 Sep 29 04:43 ./ drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ../ drwx--S--- 139 sdean sys 8192 Sep 29 04:43 .imap/ and for the directory with the problem: 2731 root at mercury:/var/dcindx ## ls -al sdean/.imap/DadEstate total 48 drwx--S--- 2 sdean sys 256 Sep 29 04:43 ./ drwx--S--- 139 sdean sys 8192 Sep 29 04:43 ../ -rw------- 1 sdean sys 408 Jan 14 2009 dovecot.index -rw------- 1 sdean sys 18432 May 05 2009 dovecot.index.cache -rw------- 1 sdean sys 828 Jan 14 2009 dovecot.index.log I switched back to V1.1, but the situation persists dovecot -n: # 1.1.15: /usr/local/etc/dovecot.conf # OS: AIX 3 0001378F4C00 listen: *:143 ssl_listen: *:993 disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_processes_count: 12 login_max_processes_count: 774 max_mail_processes: 1024 verbose_proctitle: yes first_valid_uid: 200 mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=/var/dcindx/%u mbox_write_locks: fcntl mbox_dirty_syncs: no auth default: passdb: driver: pam userdb: driver: passwd -- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean at bard.edu voice: 845-758-7475, fax: 845-758-7035
Stewart Dean
2009-Nov-05 14:45 UTC
[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1
In desperation I changed the permissions on /var/dcindx with a chmod o+x so that it is now: drwx--S--x which quieted that avalanche of error message. Still, what *should* the permissions and ownership be? I'm also seeing these messages, which I've discovered were happening before I did the migration: Nov 5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Apple M ail To Do) failed: Permission denied Nov 5 09:37:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Drafts) failed: Permission denied ahinds is a valid user. There is no ahinds directory (as there should be) under /var/dcindx Stewart Dean wrote:> > After V1.2 had been up for a while, I started seeing tons of syslog > error messages like this: > > Nov 5 09:11:52 mercury mail:err|error dovecot: IMAP(sdean): > stat(/var/dcindx/sdean/.imap/DadEstate) > failed: Permission denied (euid=202(sdean) egid=200(hcrc) missing +x > perm: /var/dcindx) > > Ownernship and Permissions are: > The index filesystem > 2726 root at mercury:/var/dcindx ## ls -ald drwx--S--- 3946 dovecot > system 192512 Nov 05 08:59 ./ > > A user's directory is: > > 2729 root at mercury:/var/dcindx ## ls -al sdean > > total 400 > drwx--S--- 7 sdean sys 256 Sep 29 04:43 ./ > drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ../ > drwx--S--- 139 sdean sys 8192 Sep 29 04:43 .imap/ > > and for the directory with the problem: > > 2731 root at mercury:/var/dcindx ## ls -al sdean/.imap/DadEstate > total 48 > drwx--S--- 2 sdean sys 256 Sep 29 04:43 ./ > drwx--S--- 139 sdean sys 8192 Sep 29 04:43 ../ > -rw------- 1 sdean sys 408 Jan 14 2009 dovecot.index > -rw------- 1 sdean sys 18432 May 05 2009 > dovecot.index.cache > -rw------- 1 sdean sys 828 Jan 14 2009 > dovecot.index.log > > I switched back to V1.1, but the situation persists > > dovecot -n: > > # 1.1.15: /usr/local/etc/dovecot.conf > # OS: AIX 3 0001378F4C00 listen: *:143 > ssl_listen: *:993 > disable_plaintext_auth: no > verbose_ssl: yes > login_dir: /var/run/dovecot/login > login_executable: /usr/local/libexec/dovecot/imap-login > login_processes_count: 12 > login_max_processes_count: 774 > max_mail_processes: 1024 > verbose_proctitle: yes > first_valid_uid: 200 > mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=/var/dcindx/%u > mbox_write_locks: fcntl > mbox_dirty_syncs: no > auth default: > passdb: > driver: pam > userdb: > driver: passwd > >-- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean at bard.edu voice: 845-758-7475, fax: 845-758-7035
Steffen Kaiser
2009-Nov-05 15:17 UTC
[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 5 Nov 2009, Stewart Dean wrote: Hello,> In desperation I changed the permissions on /var/dcindx with a chmod o+x so > that it is now: > drwx--S--x > which quieted that avalanche of error message. Still, what *should* the > permissions and ownership be?There is no default answer for this question, except: so that all uids used are able to create directories under /var/dcindex . E.g. if all your users are mapped to one uid, you may use this uid. If you use system users, who are all member of one group, have "g+xw" and chgrp /var/dcindex to this group as well. Your error message seem to indicate, that you should use: 1777 as for /tmp, because you have a range of uids and gids. Regards, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSvLsonWSIuGy1ktrAQK64Af9FbN75zBgezrFg4w+OOfpa0P+HhL/1dph rOP27Ye/yLKkwDRB7hMHZWWNlo5BcuS1+xPYxG7TtUAGtYp95qAj8YpoauoAGdhr MI2Cm4oAp+4BfkQ+FWJVkmbjo3TppDqaNEYfvl0wtm/ii6+sU9SvxZuJnLUzkbeD nWkdAgx7UrryoRIaPElKBz1hmPLR0qpEesp2BscdyqOmJJcvQqAAYbtvEp6ZlTWT XQmlc5+Xf/ZaxzKXVeS1CpKlfdDoBgCB3ToQeOiwZieYbrcUQ01Mpgxdr4eJ7mdE JYMRv9XUE+ua5xnOZfZItWt3r05/qaCNIwOsjE2ybKnBWsKMPmd7Rg==uAGV -----END PGP SIGNATURE-----
Timo Sirainen
2009-Nov-05 19:51 UTC
[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1
Steffan's answer was good. Also: On Thu, 2009-11-05 at 09:24 -0500, Stewart Dean wrote:> 2726 root at mercury:/var/dcindx ## ls -ald > drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ./Don't use "dovecot" user for ANYTHING. It's used internally by login processes. There should be no files in filesystem owned by dovecot user. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20091105/bcd4c89b/attachment-0002.bin>
Steffen Kaiser
2009-Nov-06 11:04 UTC
[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 5 Nov 2009, Stewart Dean wrote:> So you say that the /var/dcindx permissions should be 1777? Not 2777? WhatNo, not 2777, your "/tmp" is not 2777 either, I guess.> userid/group should own the directory?I use root:root. In fact, because multiple uids (and gids) have to create a directory there, you have to use a tmp-like directory. "1xxx" means the sticky-bit, so users may not remove an entry owned by another user. Because root is owner of /var/dvindex, you have just those two users able to remove: root and the owning user of the subdir. The user-specific subdirectories should be 0700 or something like that, so the security is OK. DoS is possible by filling the partition completely, but this ability is available in other scenarios as well.> > #2: Under both V1.1 and V1.2, the vast majority of users *can* and have > created their index directories, but others can't. How can this be? This > shows up as errmsgs like > Nov 5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds): > mkdir(/var/dcindx/ahinds/.imap/Apple M > ail To Do) failed: Permission deniedAll I can think of is that: a) the existing subdirs had be created earlier e.g. by root or migration, b) those few users use a different group. IMHO, as soon as you have system users the /var/dcindex must be 1777, the few exceptions, when all users share a single group, or you can pre-create the directories are the special cases. BTW: _If_ you use system users and your account name <-> uid relationship can change, you should use an template different than /var/dcindex/%u, e.g. /var/dcindex/%i, because if a new user with an name already used in past, but with another uid logs on the server, the uid cannot access the old /var/dcindex/ahinds tree. The leftover files should not make much worries, except the subscription perhaps. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSvQCuXWSIuGy1ktrAQIXFQgAwtHVLIpt9Kr+QCulz0NunTdAbtamiMrb 9i2ZVG9Sb5swAYmeRKOHYAWnVIcGA8gPnKDadVuG/+6+ZjDhcapk4MTlb8NzaKNV 6Rwr9I+JYdQI/HnLzHHj+WJxn6bgr5fe21LN1WXgwtIccAbOPSj7mzUih+p0V/RX ZXpzLHgu6+BrdWdFgmnDUA1nidXCtV8/V9b1b6P4j591yeOnnXs3sJlhoucD3Pyt Pt/8toXeJJMmxdbTSJME9ov5ZxfQHg8lBxVgB04RvhSP3CN4c3ijLI93heRUub0k zeG79mS9xfHbXlxDHM4qUsxkOUgZyk7RU6q27arB5HFT3v/J/uVyFQ==YhYT -----END PGP SIGNATURE-----
Maybe Matching Threads
- Seeing "Corrupted transaction log file" error messages.
- Ownership and permissions for the index directory/filesystem
- Errmsgs b4 and after migration DC V1.0.15 to V1.1.8
- Want to have some users with Maildir, some with mbox
- apparent bug with filesystem quota and message lists