Joseph Tam
2012-Mar-01 08:44 UTC
[Dovecot] doveadm -A stops processing at first uid<first_valid_uid
I would like to run various doveadm commands that involves all (mail) users like doveadm expunge -A mailbox Trash savedbefore 30d but any doveadm command that uses "-A" to iterate through all users will stop processing at the first account with UID<first_valid_uid. doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop privileges: Mail access for users with GID 5551 not permitted (see first_valid_gid in config file, gid from userdb lookup). doveadm(sysdaemon): Error: User init failed doveadm: Error: Failed to iterate through some users However, these accounts are system accounts (locked password, no shell) and are in userdb to provide UID<->name mapping for utilities like ls, chown, etc. There are various workaround like iterating manually, or setting first_valid_uid to zero, or even reordering users to put all system accounts at the end, but is there a better way to do this? Joseph Tam <jtam.home at gmail.com>
Timo Sirainen
2012-Mar-04 12:47 UTC
[Dovecot] doveadm -A stops processing at first uid<first_valid_uid
On 1.3.2012, at 10.44, Joseph Tam wrote:> I would like to run various doveadm commands that involves all (mail) users like > > doveadm expunge -A mailbox Trash savedbefore 30d > > but any doveadm command that uses "-A" to iterate through all users will > stop processing at the first account with UID<first_valid_uid. > > doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop > privileges: Mail access for users with GID 5551 not permitted > (see first_valid_gid in config file, gid from userdb lookup). > doveadm(sysdaemon): Error: User init failed > doveadm: Error: Failed to iterate through some users > > However, these accounts are system accounts (locked password, no shell) > and are in userdb to provide UID<->name mapping for utilities like ls, > chown, etc.What userdb are you using? userdb passwd should already skip users that aren't in the valid range. And what Dovecot version are you using?
Timo Sirainen
2012-Mar-04 12:48 UTC
[Dovecot] doveadm -A stops processing at first uid<first_valid_uid
On 1.3.2012, at 10.44, Joseph Tam wrote:> doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop > privileges: Mail access for users with GID 5551 not permitted > (see first_valid_gid in config file, gid from userdb lookup).Oh, it says about first_valid_gid. Is sysdaemon's UID within valid range? I also added this today: http://hg.dovecot.org/dovecot-2.1/rev/85a8d582d37f
Timo Sirainen
2012-Mar-04 12:51 UTC
[Dovecot] doveadm -A stops processing at first uid<first_valid_uid
On 1.3.2012, at 10.44, Joseph Tam wrote:> but any doveadm command that uses "-A" to iterate through all users will > stop processing at the first account with UID<first_valid_uid. > > doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop > privileges: Mail access for users with GID 5551 not permitted > (see first_valid_gid in config file, gid from userdb lookup). > doveadm(sysdaemon): Error: User init failed > doveadm: Error: Failed to iterate through some usersAnd one more thing: Does it really even stop there? Looking at the code it's supposed to log an error and continue to next user. Note that it says "Failed to iterate through SOME users".
Joseph Tam
2012-Mar-06 02:01 UTC
[Dovecot] doveadm -A stops processing at first uid<first_valid_uid
On Sun, 4 Mar 2012, Timo Sirainen writes:> > I would like to run various doveadm commands that involves all (mail) users like > > > > doveadm expunge -A mailbox Trash savedbefore 30d > > > > but any doveadm command that uses "-A" to iterate through all users will > > stop processing at the first account with UID<first_valid_uid. > > What userdb are you using? userdb passwd should already skip users that > aren't in the valid range. And what Dovecot version are you using?passwd-file under dovecot 2.0.16.> And one more thing: Does it really even stop there? Looking at the code > it's supposed to log an error and continue to next user. Note that it says > "Failed to iterate through SOME users".The wording did not escape my notice, which is why I suspect it's not doing what it was designed to do. This is my test: # Command doveadm mailbox list -A # Start of password file sysdaemon:*:500:500:System daemon:/:/dev/null ... and the rest ... # dovecot.conf ... first_valid_uid = 10000 first_valid_gid = 10000 ... In this situation, doveadm will exit immediately with an UID error message. If I change the UID>10000, it will produce the analogous GID error message. If I satify both UID and GID constraints, it will fail on the next daemon entry. If I move the sysdaemon entry all the way to the bottom of the pasword file, I get user1 saved-messages user1 sent-mail user1 postponed-msgs user1 temp user1 temp/temp user1 INBOX user2 sent-mail user2 101 user2 345 user2 ckf ... all user's mailbox with UID>10000, then ... doveadm(sysdaemon): Error: user sysdaemon: Couldn't drop privileges: Mail access for users with UID 500 not permitted (see first_valid_uid in config file, uid from userdb lookup). doveadm(sysdaemon): Error: User init failed doveadm: Error: Failed to iterate through some users> Oh, it says about first_valid_gid. Is sysdaemon's UID within valid range?Sorry for this error mismatch -- I cut&pasted the wrong test output; however, the problem I witnessed applies to both UID and GID (if either constraint is not met, user iteration terminates).> I also added this today: http://hg.dovecot.org/dovecot-2.1/rev/85a8d582d37fIt looks like I'll be upgrading. Oh, I just spotted this in the ChangeLog -- maybe you are undoing this? (2010-10-21) * src/auth/auth-settings.c, src/auth/auth-settings.h, src/auth/userdb- passwd.c: auth: userdb passwd iteration now lists only users within first_valid_uid..last_valid_uid range. [745ef289b0ea] Joseph Tam <jtam.home at gmail.com>