dovecot 2.3.15 opensuse LEAP 15.4 I changed logging to use a path rather than syslog. Doing so makes it easier to work with fail2ban. Dovecot fails to start with the error: Can't open log file /data01/var/log/dovecot.log: Permission denied Permissions: drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/ drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/ drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/ drwxrwxr-x 1 dovecot users 22 Dec 27 15:47 /data01/var/log/dovecot/ "dovecot" is a member of "users". What "permission" am I missing? Note: A long time ago I had a problem with programs consuming all available space on the system disk with log or backup files. I have since gotten in the habit of putting log files on a non-system disk. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.
> On 28/12/2022 01:19 EET James Moe <moe.james at sma-inc.us> wrote: > > > dovecot 2.3.15 > opensuse LEAP 15.4 > > I changed logging to use a path rather than syslog. Doing so makes it easier > to work with fail2ban. > Dovecot fails to start with the error: > Can't open log file /data01/var/log/dovecot.log: Permission denied > > Permissions: > drwxrwxr-x 1 root users 104 Feb 25 2018 /data01/ > drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/ > drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/ > drwxrwxr-x 1 dovecot users 22 Dec 27 15:47 /data01/var/log/dovecot/ > > "dovecot" is a member of "users". > > What "permission" am I missing? > > Note: A long time ago I had a problem with programs consuming all available > space on the system disk with log or backup files. I have since gotten in the > habit of putting log files on a non-system disk. > > -- > James Moe > moe dot james at sohnen-moe dot com > 520.743.3936 > Think.Hi! Dovecot drops all extra group memberships from processes when spawning them unless told otherwise. The `log` service runs by default as root, not as dovecot. If data01 is a NFS mount, then root may become squashed. If you want to run log as `dovecot`, you can do so with service log { user = dovecot } Aki
On 2022-12-27 16:19, James Moe wrote:> I changed logging to use a path rather than syslog. Doing so makes it easier > to work with fail2ban. > Dovecot fails to start with the error: > Can't open log file /data01/var/log/dovecot.log: Permission denied >Yes, it was apparmor. It has been enabled for a couple of months. Dovecot is the first app that I've added that has a apparmor profile. After adding the necessary entry to the profile, logging proceeded as expected. In </etc/apparmor.d/usr.sbin.dovecot> I added: owner /data01/var/log/dovecot/* a, -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.