As an update to this - it works if I set "mail_auth" as the <primary> group of
the opensmtpd user (rather than a secondary group). Not sure if this is a feature or a bug but
I'll file something over on the github project page. In any case I consider this an acceptable
fix to allow opensmtpd and dovecot to share the file.
Was dovecot able to use the file without g=r for you? It doesn't for me?
My conclusions on this issue:
It seems on Linux that a process started as a user by another user (as
done by opensmptd and dovecot to drop permissions to a non-privileged
user) inherits by default only that user's primary group. Secondary
groups (e.g. as defined in /etc/groups) are not inherited unless
explicitly done so (see "man initgroups"). This isn't something I've
dealt with before and didn't really understand.
The short of it is that to share the passwd file, either:
1. The file must be world-readable (not so good)
2. The opensmtpd and dovecot daemon users must share a primary group, or
3. The daemons must call initgroups() or something similar after
dropping privileges.
I've decided on option #2 as a current solution.
Jeremy
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
