dovecot - Sep 2011 - deliver LDA issue with setuid-root

Hi,

I am getting the following error message when trying to implement LDA Dovecot
1.2.9 with virtual users:


Sep 28 15:59:33 server1 postfix/pipe[3041]: 28BEC2400A1: to=<msmith at
example.com>, relay=dovecot, delay=2361, delays=2361/0.01/0/0.03, dsn=4.3.0,
status=deferred (temporary failure. Command output: /usr/lib/dovecot/deliver
must not be both world-executable and setuid-root. This allows root exploits.
See http://wiki.dovecot.org/LDA#multipleuids )

I do not know if I need to change the group to secmail. Currently, I have as
follows

-rwsr-xr-x?? 1 root root 933796 2011-06-10 05:36 deliver


Can I change it to any other group apart from secmail? and what does it mean by
world-executable? Sorry if I ask a silly question here but keen to learn more
about linux.

Here is my dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S 
protocols: imap
listen: *:143
ssl: no
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
verbose_proctitle: yes
first_valid_uid: 106
last_valid_uid: 200
mail_privileged_group: mail
mail_location: maildir:/home/vmail/%u/Maildir
mbox_write_locks: fcntl dotlock
mail_plugins: quota imap_quota
imap_client_workarounds: outlook-idle delay-newmail netscape-eoh
tb-extra-mailbox-sep
lda:
? postmaster_address: postmaster at example.com
? mail_plugins: quota
? sendmail_path: /usr/lib/sendmail
? rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth default:
? mechanisms: plain login
? username_format: %Lu
? verbose: yes
? debug: yes
? debug_passwords: yes
? passdb:
??? driver: pam
? passdb:
??? driver: ldap
??? args: /etc/dovecot/dovecot-ldap.conf
? userdb:
??? driver: prefetch
? userdb:
??? driver: passwd
? userdb:
??? driver: static
??? args: uid=106 gid=1010 home=/home/vmail/%u
? socket:
??? type: listen
??? client:
????? path: /var/spool/postfix/private/auth
????? mode: 432
????? user: postfix
????? group: mail
??? master:
????? path: /var/run/dovecot-auth-master
????? mode: 432
????? user: vmail
????? group: vmail
plugin:
? quota: maildir
? quota_rule: *:storage=3GB
? quota_rule2: Trash:storage=20%%
? quota_rule3: Spam:storage=10%%
? quota_warning: storage=95%% /usr/local/bin/quota-warning.sh 95
? quota_warning2: storage=80%% /usr/local/bin/quota-warning.sh 80

Here is my master.cf
# delivery through dovecot
dovecot?? unix? -?????? n?????? n?????? -?????? -?????? pipe
? flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d
${recipient}

Any help would be greatly appreciated.

Thank you

On 09/28/2011 08:37 AM Daminto Lie wrote:
> Hi,
> 
> I am getting the following error message when trying to implement LDA
Dovecot 1.2.9 with virtual users:
> 
> 
> Sep 28 15:59:33 server1 postfix/pipe[3041]: 28BEC2400A1: to=<msmith at
example.com>, relay=dovecot, delay=2361, delays=2361/0.01/0/0.03, dsn=4.3.0,
status=deferred (temporary failure. Command output: /usr/lib/dovecot/deliver
must not be both world-executable and setuid-root. This allows root exploits.
See http://wiki.dovecot.org/LDA#multipleuids )
> 
> I do not know if I need to change the group to secmail. Currently, I have
as follows
> 
> -rwsr-xr-x   1 root root 933796 2011-06-10 05:36 deliver
> 
> 
> Can I change it to any other group apart from secmail? and what does it
mean by world-executable? Sorry if I ask a silly question here but keen to learn
more about linux.
RTFM chmod(1)
> ?
> Here is my master.cf
> # delivery through dovecot
> dovecot   unix  -       n       n       -       -       pipe
>   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d
${recipient}
> 
> Any help would be greatly appreciated.
> 
> Thank you
chgrp vmail /usr/lib/dovecot/deliver
chmod o-rx !$


Regards,
Pascal

-- 
The trapper recommends today: cafefeed.1127120 at localdomain.org