Re: [Courier-imap] UID/GID Errors with 4.3.0
Brian, Going by Sam's reply, this seemed to be an intentional change in 4.3.0 for a sanity check. I've already fixed-up my system by making the login groups match the homedir groups for the affected user. I would still like to go through the exercise here for my own sanity, though. :-) Jan 12 16:35:08 krweb authdaemond: Authenticated: sysusername=roddie, sysuserid=null, sysgroupid=20, homedir=/home/roddie, address=roddie, fullname=Roddie Hasan, maildir=null, quota=null, options=null OK, next check for HAVE_INITGROUPS in numlib/config.h It's defined to 1. Could you explain that last bit? How exactly are you running imapd? The group-changing code will only be invoked if imapd is running initially as root, and is changing the account to settings returned by courier-authlib That's what I would have figured, too - I am simply typing imapd, (which is not suid/sgid). Example when login GID does not match Maildir GID: % id uid=1037(yawnto) gid=20(staff) groups=20(staff),1002(users) % ls -ald Maildir/ drwx-- 17 yawnto users 512 Nov 5 12:17 Maildir/ % imapd * BYE [ALERT] Fatal error: Account's mailbox directory is not owned by the correct uid or gid: No such file or directory When the above GIDs do match (ie. I put yawnto back into users): % imapd * PREAUTH Ready. INFO: LOGIN, user=yawnto, ip=[127.0.0.1], port=[0], protocol=IMAP Regards, Roddie - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] UID/GID Errors with 4.3.0
On Wed, Jan 16, 2008 at 05:57:12AM -0600, Roddie Hasan wrote: Jan 12 16:35:08 krweb authdaemond: Authenticated: sysusername=roddie, sysuserid=null, sysgroupid=20, homedir=/home/roddie, address=roddie, fullname=Roddie Hasan, maildir=null, quota=null, options=null OK, next check for HAVE_INITGROUPS in numlib/config.h It's defined to 1. Could you explain that last bit? How exactly are you running imapd? The group-changing code will only be invoked if imapd is running initially as root, and is changing the account to settings returned by courier-authlib That's what I would have figured, too - I am simply typing imapd, (which is not suid/sgid). That's what confused me - firstly you showed courier-authlib logs showing the account being authenticated, but then you said that you're running imapd directly from the command line (which doesn't perform any authentication at all, nor change user or groups, so this is a red herring) Example when login GID does not match Maildir GID: % id uid=1037(yawnto) gid=20(staff) groups=20(staff),1002(users) % ls -ald Maildir/ drwx-- 17 yawnto users 512 Nov 5 12:17 Maildir/ % imapd * BYE [ALERT] Fatal error: Account's mailbox directory is not owned by the correct uid or gid: No such file or directory OK, I see there's an explicit check for this in imap/imapd.c: if ( buf.st_uid != geteuid() || buf.st_gid != getegid()) write_error_exit(Account's mailbox directory is not owned by the correct uid or gid); I've also seen Sam's reply. I can see where he's coming from - if you're going to use supplementary groups then you need to know what you're doing (e.g. use the sticky bit to ensure that the files created inside are owned by the directory's own group, rather than the user's primary group) But for other users, this whole gid check is superfluous: e.g. mode 700 is perfectly legitimate and often appropriate for a Maildir, in which case it doesn't matter what group is assigned. As Sam says - you can always kill the check. Regards, Brian. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
Re: [Courier-imap] UID/GID Errors with 4.3.0
Roddie Hasan writes: It seems to only happen to users that are in more than one group. Courier appears to be using the GID from /etc/passwd to do its thing and is running in to problems where a user's Maildir is in a different group than the login group (in my case, it's in the group that the homedir is in). Files created by the imap server process itself -- and the imap server does create files itself -- will be owned by the primary uid and gid, and any auxiliary groups are completely irrelevant. Having newly-created files owned by a different uid/gid than the maildir itself may result in strange or unpredictable behavior later down the road. Furthermore -- and this goes beyond the IMAP server -- an account's home directory's, and maildir's, ownership should match what's given as the account primary uid, gid. If the account is a member of some other, auxiliary group, that's fine but the account's home directory and maildir should match what's in the account database. Someone who knows what they're doing can certainly set things up differently, which will work fine for them, since they know how things work, and how to make them work. However, that cannot be said for everyone, and there's been steady procession of less-capable individuals complaining about mysterious error messages, that were ultimately resolved as due to mismatches between the actual maildir ownership, and what the account database gave as the primary uid/gid, forcing an explicit sanity check to be added. You can certainly remove that snippet of code from the IMAP server, yourself. pgp31huVxNUIG.pgp Description: PGP signature - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap