Bug#903161: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

[Marcus Frings]

Package: dovecot-core
Version: 1:2.3.2-2
Severity: normal

Since dovecot 2.3 has entered sid, my nightly cron runs of doveadm (as
user) produce the error message, which is shown in the subject.

This has already been reported upstream:
https://www.dovecot.org/list/dovecot/2018-January/110549.html

(My situation is the same as described in the original upstream report!)

A solution has also been provided by the developers:
https://www.dovecot.org/list/dovecot/2018-January/110552.html

Hence, please consider changing the socket permissions (as suggested by
upstream) in the next package upgrade of dovecot.

-- Package-specific info:

dovecot configuration
---------------------
# 2.3.2 (582970113): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.2 ()
# OS: Linux 4.16.0-2-amd64 x86_64 Debian buster/sid
auth_verbose = yes
auth_verbose_passwords = sha1:6
imap_id_log = *
imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} autoexpunged=%{autoexpunged} trashed=%{trashed} appended=%{appended} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}
mail_attachment_detection_options = add-flags-on-save
mail_location = maildir:~/Maildir
mail_plugins = " fts fts_lucene mail_log notify"
mail_privileged_group = mail
mailbox_list_index_include_inbox = yes
namespace {
hidden = no
list = yes
location = maildir:~/Maildir/expunged
prefix = .EXPUNGED/
separator = /
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
}
passdb {
driver = pam
}
plugin {
fts = lucene
fts_autoindex = yes
fts_decoder = decode2text
fts_lucene = mime_parts whitespace_chars=@.
lazy_expunge = .EXPUNGED/
lazy_expunge_only_last_instance = yes
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append save mailbox_create
mail_log_fields = uid box msgid from subject size vsize flags
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap"
service decode2text {
executable = script /usr/local/bin/decode2text.sh
unix_listener decode2text {
mode = 0666
}
user = dovecot
}
ssl = required
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
verbose_ssl = yes
protocol imap {
mail_plugins = " fts fts_lucene mail_log notify lazy_expunge"
}

-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dovecot-core depends on:
ii adduser 3.117
ii libapparmor1 2.12-4+b1
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.27-3
ii libexttextcat-2.0-0 3.4.5-1
ii libicu60 60.2-6
ii liblz4-1 1.8.2-1
ii liblzma5 5.2.2-1.3
ii libpam-runtime 1.1.8-3.7
ii libpam0g 1.1.8-3.7
ii libsodium23 1.0.16-2
ii libssl1.1 1.1.0h-4
ii libstemmer0d 0+svn585-1+b2
ii libwrap0 7.6.q-27
ii lsb-base 9.20170808
ii openssl 1.1.0h-4
ii ssl-cert 1.0.39
ii ucf 3.0038
ii zlib1g 1:1.2.11.dfsg-1

dovecot-core recommends no packages.

Versions of packages dovecot-core suggests:
pn dovecot-gssapi <none>
ii dovecot-imapd 1:2.3.2-2
pn dovecot-ldap <none>
pn dovecot-lmtpd <none>
ii dovecot-lucene 1:2.3.2-2
pn dovecot-managesieved <none>
pn dovecot-mysql <none>
pn dovecot-pgsql <none>
pn dovecot-pop3d <none>
ii dovecot-sieve 1:2.3.2-2
pn dovecot-solr <none>
pn dovecot-sqlite <none>
pn dovecot-submissiond <none>
pn ntp <none>

Versions of packages dovecot-core is related to:
ii dovecot-core [dovecot-common] 1:2.3.2-2
pn dovecot-dev <none>
pn dovecot-gssapi <none>
ii dovecot-imapd 1:2.3.2-2
pn dovecot-ldap <none>
pn dovecot-lmtpd <none>
pn dovecot-managesieved <none>
pn dovecot-mysql <none>
pn dovecot-pgsql <none>
pn dovecot-pop3d <none>
ii dovecot-sieve 1:2.3.2-2
pn dovecot-sqlite <none>

-- no debconf information

[Apollon Oikonomopoulos]

Control: tags -1 + moreinfo

Hi,

On 12:46 Sat 07 Jul , Marcus Frings wrote:
> Package: dovecot-core
> Version: 1:2.3.2-2
> Severity: normal
>
> Since dovecot 2.3 has entered sid, my nightly cron runs of doveadm (as
> user) produce the error message, which is shown in the subject.
>
> This has already been reported upstream:
> https://www.dovecot.org/list/dovecot/2018-January/110549.html
>
> (My situation is the same as described in the original upstream report!)
>
> A solution has also been provided by the developers:
> https://www.dovecot.org/list/dovecot/2018-January/110552.html
>
> Hence, please consider changing the socket permissions (as suggested by
> upstream) in the next package upgrade of dovecot.

Thanks for the report and apologies for the late response.

The issue described in the upstream mailing list is a bit different, as
it applies to dovecot 2.3.1. Dovecot 2.3.1 by default set the
stats-writer permissions to root:root, 0600. In 2.3.2 this was relaxed
to root:dovecot, 0660, which means that if you add your plain user to
the dovecot group, doveadm should work fine. Can you try this out? If it
works, I'll add a note in README.Debian about running doveadm as
non-root.

Thanks,
Apollon

[Marcus Frings]

Hi Apollon,

On Sun, 25 Nov 2018 20:22:11 +0200, Apollon Oikonomopoulos
<apo...@debian.org> wrote:

> The issue described in the upstream mailing list is a bit different,
> as it applies to dovecot 2.3.1. Dovecot 2.3.1 by default set the
> stats-writer permissions to root:root, 0600. In 2.3.2 this was
> relaxed to root:dovecot, 0660, which means that if you add your plain
> user to the dovecot group, doveadm should work fine. Can you try this
> out? If it works, I'll add a note in README.Debian about running
> doveadm as non-root.

I reverted my manual change of permissions
for /var/run/dovecot/stats-writer from 666 (suggested at the dovecot
mailing list) to 660 (Debian's current default) and added my
user to the dovecot group: I can confirm that running doveadm as normal
user now allows the nightly maintenance work (such as expunging mails).
Hence, it seems to work fine.

But do you think that this is the way to go (to add ordinary users to
the dovecot group)?

Best regards,
Marcus

[Apollon Oikonomopoulos]

It all comes down to the following question: do we trust everyone on the
system to submit dovecot stats or not? For some people it might be okay
to just change permissions to 0666. OTOH, upstream seems to be more
conservative about this.

Regarding the dovecot group, upstream notes the following:

commit 5cf6951e37bd37bb11b3335a3dbd029065143454
Author: Timo Sirainen <timo.s...@dovecot.fi>
Date: Wed Feb 7 13:03:23 2018 +0200

master: Add default_internal_group setting, defaulting to "dovecot"

It's expected that this is the primary group of the default_internal_user.

This group will be used to provide access to sockets that are generally
required by all Dovecot processes, but aren't safe enough to be allowed
completely open access from untrusted processes.

So, it looks like the intention is precisely to allow more fine-grained
access control for certain sockets.

Finally, bear in mind that doveadm is an administrative tool and not
meant to be run by "regular" users. For instance, it will fail if the
user invoking it does not have read permissions on all files under
/etc/dovecot/conf.d.

Regards,
Apollon

[Marcus Frings]

Hi Apollon,

On Mon, 26 Nov 2018 12:57:08 +0200, Apollon Oikonomopoulos
<apo...@debian.org> wrote:

> On 11:29 Mon 26 Nov , Marcus Frings wrote:
> > But do you think that this is the way to go (to add ordinary users
> > to the dovecot group)?
>
> It all comes down to the following question: do we trust everyone on
> the system to submit dovecot stats or not? For some people it might
> be okay to just change permissions to 0666. OTOH, upstream seems to
> be more conservative about this.
>
> Regarding the dovecot group, upstream notes the following:
>
> commit 5cf6951e37bd37bb11b3335a3dbd029065143454
> Author: Timo Sirainen <timo.s...@dovecot.fi>
> Date: Wed Feb 7 13:03:23 2018 +0200
>
> master: Add default_internal_group setting, defaulting to
> "dovecot"
> It's expected that this is the primary group of the
> default_internal_user.
> This group will be used to provide access to sockets that are
> generally required by all Dovecot processes, but aren't safe enough
> to be allowed completely open access from untrusted processes.
>
> So, it looks like the intention is precisely to allow more
> fine-grained access control for certain sockets.

Yes, I agree and see your point. Thanks for the additional information
by providing the upstream commit notes with respect to this issue. So
maybe it's the best solution to add a few lines to README.Debian as you
initially suggested.

Best regards,
Marcus

[Tomas Pospisek]

Package: dovecot-core
Version: 1:2.3.4.1-5
Followup-For: Bug #903161

Please also see related documentation bug ticket #933330

[Josh Triplett]

I ran into a similar issue here, whenever I ran the "deliver" process as
a user to deliver mail into IMAP folders (invoked from getmail).
"deliver" delivered the mail but then produces the error about writing
statistics, so getmail correctly concluded that the process errored.

I don't want to make statistics-writing available to all users. I don't
actually care about the statistics. So I figured out how to disable
statistics.

I found this commit in the changelog:

2017-12-22 13:27:48 +0200 Timo Sirainen <timo.s...@dovecot.fi> (aa572aa74)

lib-master: Hide connect(stats-writer) errors when running via CLI

Only hide errors that occur if the stats process isn't running, i.e. when
socket isn't found or there's no listener. This way e.g. permission errors
are still logged, which points to a wrong configuration.


So if the stats sockets don't exist at *all*, deliver won't complain.

To disable those stats sockets, add the following configuration to a
file in /etc/dovecot/conf.d/ :

service stats {
unix_listener stats-reader {
mode = 0
}
unix_listener stats-writer {
mode = 0
}
}

service old-stats {
fifo_listener old-stats-mail {
mode = 0
}
fifo_listener old-stats-user {
mode = 0
}
unix_listener old-stats {
mode = 0
}
}

(Per https://wiki2.dovecot.org/Services , setting mode to 0 disables the
socket entirely.)

Then restart dovecot, and then delete /run/dovecot/stats-* and
/run/dovecot/old-stats-*. You can then run deliver without errors.

Hope that helps.

[Josh Triplett]

On Wed, Aug 28, 2019 at 05:43:27PM -0700, Josh Triplett wrote:
> So if the stats sockets don't exist at *all*, deliver won't complain.
>
> To disable those stats sockets, add the following configuration to a
> file in /etc/dovecot/conf.d/ :

Update: sadly this doesn't fully work, as it produces the following
spurious errors in the logs:

Aug 28 17:54:27 cloud dovecot[3168]: imap-login: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory
Aug 28 17:54:27 cloud dovecot[3168]: auth: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory
Aug 28 17:54:27 cloud dovecot[3168]: auth: Error: stats: open(old-stats-user) failed: No such file or directory
Aug 28 17:54:28 cloud dovecot[3168]: auth: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory
Aug 28 17:54:28 cloud dovecot[3168]: auth-worker(3182): Error: stats: open(old-stats-user) failed: No such file or directory
Aug 28 17:54:28 cloud dovecot[3168]: imap: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory

So while deliver has no problem ignoring such errors, the rest of
dovecot unfortunately doesn't like that configuration.

I'd like to have a "disable all stats" configuration, rather than having
to make a stats socket available to the user running deliver.

[Timo Sirainen]

Add to dovecot.conf: stats_writer_socket_path=

[Josh Triplett]

Interesting! I'll try that and see how it goes.

[Bjørn Mork]

I tried the different methods suggested in this bug report, but had
no success with any of them.

Using

stats_writer_socket_path=

causes "doveadm index" to fail with

bjorn@canardo:~$ doveadm index -q -u bjorn INBOX.Spam
doveadm(bjorn): Error: net_connect_unix() failed: Connection refused

This can probably be worked around. But I'd prefer too many hacks just
to make stuff work again...

For now I ended up using:

service stats {
unix_listener stats-writer {
mode = 0666
}
}


I don't want to add mail users to the dovecot group. It's unclear to me
what privileges this will result in now and in the future. And I don't
want to maintain yet another mail user group anyway.

This mess should really be sorted out. Either there should be a way to
easily disable the stats service, or using it should be allowed for all
currently unprivileged operations. By default.



Bjørn

[Milan]

I use Dovecot 1:2.3.4.1-5+deb10u1 on Debian 10. Setting
"stats_writer_socket_path=" does not resolve the issue in my case, I
also get "net_connect_unix() failed". The following patch is supposed
to fix the issue:

https://dovecot.org/pipermail/dovecot/2019-January/114170.html
https://github.com/dovecot/core/commit/3fdb968687bf896a3e13c846e5eb6f0310dff65b

Can this patch be included in Dovecot on Debian 10?

Best regards.

[sloth 96]

Has there been any updates that should fix this issue?

Thanks.