[Dovecot] sievec - manual compile of global sieve scripts?

Post by Thomas Harold
How do you compile global scripts using the sievec command without
making the script directory owned (and group writable) by the vmail user?
http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage
# cd /etc/dovecot/sieve/before/
# (edit some script like spam.sieve that runs for everyone)
# /usr/local/bin/sievec spam.sieve spam.svbin
sievec(root): Error: sieve: binary save: failed to create temporary
file: open(spam.svbin.hostname.26921.) in directory
/etc/dovecot/sieve/before failed: Permission denied (euid=5000(vmail)
egid=5000(vmail) missing +w perm: /etc/dovecot/sieve/before, euid is
not dir owner)

Why are you executing sievec as vmail in the first place? You should be
able to run it as root or any other user you use to manage global sieve
scripts.

Post by Thomas Harold
# ls -la /etc/dovecot/sieve/before/
drwxrwxr-x 2 root root 4096 Aug 1 15:56 .
drwxr-xr-x 5 root root 4096 Aug 1 13:23 ..
-rw-rw-r-- 1 root root 477 Aug 1 15:33 spam.sieve
Or do I just make the /etc/dovecot/sieve/ tree owned and writable by
the vmail:vmail user? (Which worked, but seems like a bad idea.)

It is a bad idea. Vmail would only need read access.

Regards,

Stephan

Thomas Harold

2011-08-02 12:32:49 UTC

Why are you executing sievec as vmail in the first place? You should be
able to run it as root or any other user you use to manage global sieve
scripts.

Sorry, I may not have been clear before, I am trying to run sievec as
root. So the error is confusing to me because it looks like sievec is
trying to drop privs and do the compile as the vmail user. I haven't
done anything special to the sievec file (like making it run as vmail or
always run as root, SELinux is in permissive mode until I gather up
enough entries in the audit log to make an audit2allow run useful).

# ls -la /usr/local/bin
-rwxr-xr-x 1 root root 123989 Aug 1 12:25 sievec
-rwxr-xr-x 1 root root 119415 Aug 1 12:25 sieve-dump
-rwxr-xr-x 1 root root 133592 Aug 1 12:25 sieve-test

As a workaround, I may temporarily alter my Makefile to set the
directory writable by the vmail group, compile the scripts, then set the
directory read-only again. The files end up owned as vmail:vmail when I
do that, even though I execute the "sievec" command as root.

# /usr/local/bin/sievec sortspam.sieve sortspam.svbin
-rw-rw-r-- 1 root root 477 Aug 1 15:33 sortspam.sieve
-rw-rw-r-- 1 vmail vmail 321 Aug 2 08:26 sortspam.svbin

...

My current Makefile.

# cat Makefile
# http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#scriptcompile
SIEVEC=/usr/local/bin/sievec

SRCS=$(wildcard *.sieve)
OBJS=$(SRCS:.sieve=.svbin)

all: $(OBJS)

%.svbin : %.sieve
$(SIEVEC) $? $@

Stephan Bosch

2011-08-02 12:45:33 UTC

Why are you executing sievec as vmail in the first place? You should be
able to run it as root or any other user you use to manage global sieve
scripts.

What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?

I suspect there may be a bug.

Regards,

Stephan.

Thomas Harold

2011-08-02 12:55:31 UTC

Post by Stephan Bosch
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?
I suspect there may be a bug.

dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source this
week. The dovecot package itself comes from ATRPMs and is 2.0.13.

Name : dovecot
Arch : x86_64
Epoch : 1
Version : 2.0.13
Release : 1_129.el5
Size : 5.1 M
Repo : installed
Summary : Dovecot Secure imap server
URL : http://www.dovecot.org/
License : MIT

Name : dovecot-devel
Arch : x86_64
Epoch : 1
Version : 2.0.13
Release : 1_129.el5
Size : 667 k
Repo : installed
Summary : Libraries and headers for Dovecot
URL : http://www.dovecot.org/
License : MIT

Output of dovecot -n

# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server
release 5.7 (Tikanga)
auth_verbose_passwords = sha1
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1, 1.2.3.4
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after/
sieve_before = /etc/dovecot/sieve/before/
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/globalinclude/
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service imap-login {
process_min_avail = 5
}
service pop3-login {
inet_listener pop3 {
address = 1.2.3.4
}
inet_listener pop3s {
address = 1.2.3.4
}
}
ssl = required
ssl_cert = </etc/pki/tls/private/certs/example_com.crt
ssl_key = </etc/pki/tls/private/example_com.key
protocol lda {
log_path = /var/log/dovecot/dovecot-lda
mail_plugins = " sieve"
}

Patrick Domack

2011-08-02 16:21:33 UTC

Mine has always behaved like this.

It looks up the root user in the auth database from the dovecot
config, and attemps to change to that user, and in this type of case
that would be vmail.

Then it attempts to check the mail_home and kind of fails, unless you
give vmail permission to that path that would be created using the
root user.

Post by Stephan Bosch
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?
I suspect there may be a bug.

dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source
this week. The dovecot package itself comes from ATRPMs and is
2.0.13.
Name : dovecot
Arch : x86_64
Epoch : 1
Version : 2.0.13
Release : 1_129.el5
Size : 5.1 M
Repo : installed
Summary : Dovecot Secure imap server
URL : http://www.dovecot.org/
License : MIT
Name : dovecot-devel
Arch : x86_64
Epoch : 1
Version : 2.0.13
Release : 1_129.el5
Size : 667 k
Repo : installed
Summary : Libraries and headers for Dovecot
URL : http://www.dovecot.org/
License : MIT
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server
release 5.7 (Tikanga)
auth_verbose_passwords = sha1
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1, 1.2.3.4
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after/
sieve_before = /etc/dovecot/sieve/before/
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/globalinclude/
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service imap-login {
process_min_avail = 5
}
service pop3-login {
inet_listener pop3 {
address = 1.2.3.4
}
inet_listener pop3s {
address = 1.2.3.4
}
}
ssl = required
ssl_cert = </etc/pki/tls/private/certs/example_com.crt
ssl_key = </etc/pki/tls/private/example_com.key
protocol lda {
log_path = /var/log/dovecot/dovecot-lda
mail_plugins = " sieve"
}

Patrick Domack

2011-08-02 16:21:33 UTC

Post by Stephan Bosch
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?
I suspect there may be a bug.

dovecot-2.0-pigeonhole-0.2.3 - downloaded and compiled from source
this week. The dovecot package itself comes from ATRPMs and is
2.0.13.
Name : dovecot
Arch : x86_64
Epoch : 1
Version : 2.0.13
Release : 1_129.el5
Size : 5.1 M
Repo : installed
Summary : Dovecot Secure imap server
URL : http://www.dovecot.org/
License : MIT
Name : dovecot-devel
Arch : x86_64
Epoch : 1
Version : 2.0.13
Release : 1_129.el5
Size : 667 k
Repo : installed
Summary : Libraries and headers for Dovecot
URL : http://www.dovecot.org/
License : MIT
Output of dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-274.el5 x86_64 Red Hat Enterprise Linux Server
release 5.7 (Tikanga)
auth_verbose_passwords = sha1
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1, 1.2.3.4
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after/
sieve_before = /etc/dovecot/sieve/before/
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/globalinclude/
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service imap-login {
process_min_avail = 5
}
service pop3-login {
inet_listener pop3 {
address = 1.2.3.4
}
inet_listener pop3s {
address = 1.2.3.4
}
}
ssl = required
ssl_cert = </etc/pki/tls/private/certs/example_com.crt
ssl_key = </etc/pki/tls/private/example_com.key
protocol lda {
log_path = /var/log/dovecot/dovecot-lda
mail_plugins = " sieve"
}

Thomas Harold

2011-08-02 12:55:31 UTC

Post by Stephan Bosch
What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?
I suspect there may be a bug.

Stephan Bosch

2011-08-02 12:45:33 UTC

Why are you executing sievec as vmail in the first place? You should be
able to run it as root or any other user you use to manage global sieve
scripts.

What versions of Dovecot (obviously v2.0+) and Pigeonhole are you using
and what is your config (show dovecot -n output) ?

I suspect there may be a bug.

Regards,

Stephan.

Thomas Harold

2011-08-02 12:32:49 UTC

Why are you executing sievec as vmail in the first place? You should be
able to run it as root or any other user you use to manage global sieve
scripts.

Thomas Harold

2011-08-01 20:11:32 UTC

Stephan Bosch

2011-08-02 00:43:06 UTC