Using dovecot-2.1.15 if I run indexer-worker as a non-root user it fails with an error: Feb 11 13:06:47 indexer-worker: Error: user foobar: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied This is what I added to 10-master.conf: service indexer-worker { user = _dovecot } The wiki says it should work: <http://wiki2.dovecot.org/Services> indexer-worker [...] ? user=root, but the privileges are (temporarily) dropped to the mail user's privileges after userdb lookup. If only a single UID is used, user can be set to the mail UID for higher security, because the process can't gain root privileges anymore. And the code says it should work: <src/indexer/indexer-worker.c> static void drop_privileges(void) { [...] if (set.uid != 0) { /* open config connection before dropping privileges */ Of course the config socket is locked down as it should be: srw------- 1 root daemon 0 Feb 11 13:06 /var/run/dovecot/config Here's where the error comes from: 2 libdovecot.0.dylib 0x00000001019612a0 master_service_settings_read + 2168 3 libdovecot.0.dylib 0x000000010196193e master_service_settings_cache_read + 294 4 libdovecot-storage.0.dylib 0x000000010185d9ad mail_storage_service_read_settings + 510 5 libdovecot-storage.0.dylib 0x000000010185da5d mail_storage_service_lookup + 96 6 libdovecot-storage.0.dylib 0x000000010185f06a mail_storage_service_lookup_next + 42 7 indexer-worker 0x00000001018101a1 master_connection_input + 335 8 libdovecot.0.dylib 0x0000000101972455 io_loop_call_io + 46 9 libdovecot.0.dylib 0x000000010197343e io_loop_handler_run + 214 10 libdovecot.0.dylib 0x0000000101972600 io_loop_run + 77 11 libdovecot.0.dylib 0x00000001019601ef master_service_run + 24 12 indexer-worker 0x000000010180ff17 main + 490 13 libdyld.dylib 0x00007fff89d2f7b5 start + 1 Is this a bug or am I configuring it incorrectly? Thanks.
Timo Sirainen
2013-Feb-22 08:44 UTC
[Dovecot] error running indexer-worker as non-root user
On 11.2.2013, at 21.32, Mike Abbott <michael.abbott at apple.com> wrote:> Using dovecot-2.1.15 if I run indexer-worker as a non-root user it fails with an error: > Feb 11 13:06:47 indexer-worker: Error: user foobar: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission deniedWell.. http://hg.dovecot.org/dovecot-2.1/rev/6d45b9bd1cff fixes it, although it's a little bit annoying fix. Now it unnecessarily reads the config at startup and then keeps the connection open, even if it really doesn't need to keep it open afterwards. But it is a rather generic problem..