dovecot - Jul 2013 - Maildir permissions and Solr re-indexing

I am running a very small dovecot installation with only one user (me).
I use the Solr indexer for indexing.  Due to complicated reasons, I was
forced to remove all the indexes and need to re-index everything.

All the files in my Maildir are owned by md5i:mail (I am md5i), and have
660 permissions.  All directories have the same user:group permissions,
and 770 with the setguid bit set.  (That last may not be necessary, but
I was trying several things to get my use case to work.)

Unfortunately, I can't seem to get re-indexing to work.  When I do
"doveadm fts rescan -A" as root, I get the following error for each of
my
subgroups:

doveadm(md5i): Error:
fchown(/home/md5i/Maildir/.mail.test/dovecot.index.log.newlock, group=8(mail))
failed: Operation not permitted (egid=1000(md5i), group based on
/home/md5i/Maildir/.mail.test - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm)

After this, each directory has a dovecot.index.log with md5i:md5i 600
permissions. 

I've read the mentioned page, and played around with the ideas on it,
but haven't gotten things to work.  Anyone have any clue to ship my way?

-- 
Michael Welsh Duggan
(md5i at md5i.com)

I should have mentioned:  dovecot 2.1.7 from Debian unstable.

Michael Welsh Duggan <mwd at md5i.com> writes:
> I am running a very small dovecot installation with only one user (me).
> I use the Solr indexer for indexing.  Due to complicated reasons, I was
> forced to remove all the indexes and need to re-index everything.
>
> All the files in my Maildir are owned by md5i:mail (I am md5i), and have
> 660 permissions.  All directories have the same user:group permissions,
> and 770 with the setguid bit set.  (That last may not be necessary, but
> I was trying several things to get my use case to work.)
>
> Unfortunately, I can't seem to get re-indexing to work.  When I do
> "doveadm fts rescan -A" as root, I get the following error for
each of my
> subgroups:
>
> doveadm(md5i): Error:
> fchown(/home/md5i/Maildir/.mail.test/dovecot.index.log.newlock,
> group=8(mail)) failed: Operation not permitted (egid=1000(md5i), group
> based on /home/md5i/Maildir/.mail.test - see
> http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
>
> After this, each directory has a dovecot.index.log with md5i:md5i 600
> permissions. 
>
> I've read the mentioned page, and played around with the ideas on it,
> but haven't gotten things to work.  Anyone have any clue to ship my
way?
-- 
Michael Welsh Duggan
(md5i at md5i.com)

Michael Welsh Duggan writes:
> All the files in my Maildir are owned by md5i:mail (I am md5i), and have
> 660 permissions.  All directories have the same user:group permissions,
> and 770 with the setguid bit set.  (That last may not be necessary, but
> ...
>
> doveadm(md5i): Error:
fchown(/home/md5i/Maildir/.mail.test/dovecot.index.log.newlock, group=8(mail))
failed: Operation not permitted (egid=1000(md5i), group based on
/home/md5i/Maildir/.mail.test - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
>
> After this, each directory has a dovecot.index.log with md5i:md5i 600
> permissions.
I think the cause is clear enough: you (user=md5i/uid=1000) are not
part of group mail (gid=8), so the dovecot user process doing things on
your behalf cannot create index files that are anlogous to the mailbox
it's indexing.

You can either

 	1) add "md5i" to group mail
 	2) remove g+w permission on your mail files (making group
 		membership irrelevant)
 	3) fiddle with "mail_privileged_group = mail", but I'm a little
 		hazy on all the ramifications of this.

I don't know your particular circumstances, so I don't know which
is best.  If (big if) nothing on your system (particularly the MTA)
requires access to your mail spool files by running as group=mail,
probably 2) is your best option.

Joseph Tam <jtam.home at gmail.com>