> On 24 May 2019 17:11 Steven Smith via dovecot <dovecot@dovecot.org> wrote:
>
>
> I’m trying to configure dovecot lmtp in multi-user mode. My error logs are
> filled with messages saying that an imap process cannot do a setuid to
> another user:
>
> > May 21 22:28:46 imap(pid 17441 user myuser): Fatal: setuid(512(myuser) from
> > userdb lookup) failed with euid=501(adminuser): Operation not permitted
> > (This binary should probably be called with process user set to 512(myuser)
> > instead of 501(adminuser))
>
> I see that others have had similar issues, but I am not able to apply any of
> the fixes or workarounds to solve this issue (e.g. setting
> libexec/dovecot/imap as setuid-root). I’ve also tried other fixes like
> setting the permissions to 0777 on the userdb auth for postfix smtpd.
>
> According to the code (restrict-access.c, linked below), it appears that when
> a user authenticates, an imap worker process is launched that has the bid of
> the authenticator. When another user authenticates, this last process is
> used, but it does not have the permissions to perform a setuid to the new
> user, resulting in the Fatal error that appears in the logs.
>
> Is this a bug, or a configuration issue? I’ve posted my doveconf below.
>
> Any pointers would be greatly appreciated.
>
> Steve
>
service imap {
client_limit = 16
process_limit = 200
process_min_avail = 6
service_count = 0
}
This causes the imap process to be reused, but it cannot change it's
personality anymore. Also we *do not* recommend this configuration at all. You
are putting multiple connections inside an single-threaded binary which can
become "stuck" for other users when single user performs long-lasting
operations.
Try this:
service imap {
process_limit = 200
process_min_avail = 6
}
Aki
