Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1

After V1.2 had been up for a while, I started seeing tons of syslog
error messages like this:

Nov  5 09:11:52 mercury mail:err|error dovecot: IMAP(sdean): stat(/var/dcindx/sdean/.imap/DadEstate)
 failed: Permission denied (euid=202(sdean) egid=200(hcrc) missing +x perm: /var/dcindx)

Ownernship and Permissions are:
The index filesystem
2726 root@mercury:/var/dcindx ## ls -ald  
drwx--S--- 3946 dovecot  system       192512 Nov 05 08:59 ./

A user's directory is:

2729 root@mercury:/var/dcindx ## ls -al sdean

total 400
drwx--S---    7 sdean    sys             256 Sep 29 04:43 ./
drwx--S--- 3946 dovecot  system       192512 Nov 05 08:59 ../
drwx--S---  139 sdean    sys            8192 Sep 29 04:43 .imap/

and for the directory with the problem:

2731 root@mercury:/var/dcindx ## ls -al sdean/.imap/DadEstate
total 48
drwx--S---    2 sdean    sys             256 Sep 29 04:43 ./
drwx--S---  139 sdean    sys            8192 Sep 29 04:43 ../
-rw-------    1 sdean    sys             408 Jan 14 2009  dovecot.index
-rw-------    1 sdean    sys           18432 May 05 2009  dovecot.index.cache
-rw-------    1 sdean    sys             828 Jan 14 2009  dovecot.index.log

I switched back to V1.1, but the situation persists

dovecot -n:

# 1.1.15: /usr/local/etc/dovecot.conf
# OS: AIX 3 0001378F4C00  
listen: *:143
ssl_listen: *:993
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
login_processes_count: 12
login_max_processes_count: 774
max_mail_processes: 1024
verbose_proctitle: yes
first_valid_uid: 200
mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=/var/dcindx/%u
mbox_write_locks: fcntl
mbox_dirty_syncs: no
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd


--
==== Once upon a time, the Internet was a friendly,
neighbors-helping-neighbors small town, and no one locked their doors.
Now it's like an apartment in Bed-Stuy: you need three heavy duty
pick-proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin,
Bard College, New York 12504 sdean@... voice: 845-758-7475, fax:
845-758-7035

In desperation I changed the permissions on /var/dcindx with a chmod o+x
so that it is now:
drwx--S--x
which quieted that avalanche of error message.  Still, what *should* the
permissions and ownership be?

I'm also seeing these messages, which I've discovered were happening
before I did the migration:

Nov  5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Apple M
ail To Do) failed: Permission denied
Nov  5 09:37:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Drafts)
 failed: Permission denied

ahinds is a valid user.  There is no ahinds directory (as there should be) under /var/dcindx



Stewart Dean wrote:
--
==== Once upon a time, the Internet was a friendly,
neighbors-helping-neighbors small town, and no one locked their doors.
Now it's like an apartment in Bed-Stuy: you need three heavy duty
pick-proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin,
Bard College, New York 12504 sdean@... voice: 845-758-7475, fax:
845-758-7035

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Nov 2009, Stewart Dean wrote:

Hello,

> In desperation I changed the permissions on /var/dcindx with a chmod o+x so
> that it is now:
> drwx--S--x
> which quieted that avalanche of error message.  Still, what *should* the
> permissions and ownership be?

There is no default answer for this question, except: so that all uids
used are able to create directories under /var/dcindex .

E.g. if all your users are mapped to one uid, you may use this uid.

If you use system users, who are all member of one group, have "g+xw" and
chgrp /var/dcindex to this group as well.

Your error message seem to indicate, that you should use:

1777

as for /tmp, because you have a range of uids and gids.

Regards,

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSvLsonWSIuGy1ktrAQK64Af9FbN75zBgezrFg4w+OOfpa0P+HhL/1dph
rOP27Ye/yLKkwDRB7hMHZWWNlo5BcuS1+xPYxG7TtUAGtYp95qAj8YpoauoAGdhr
MI2Cm4oAp+4BfkQ+FWJVkmbjo3TppDqaNEYfvl0wtm/ii6+sU9SvxZuJnLUzkbeD
nWkdAgx7UrryoRIaPElKBz1hmPLR0qpEesp2BscdyqOmJJcvQqAAYbtvEp6ZlTWT
XQmlc5+Xf/ZaxzKXVeS1CpKlfdDoBgCB3ToQeOiwZieYbrcUQ01Mpgxdr4eJ7mdE
JYMRv9XUE+ua5xnOZfZItWt3r05/qaCNIwOsjE2ybKnBWsKMPmd7Rg==
=uAGV
-----END PGP SIGNATURE-----

Steffan's answer was good. Also:

On Thu, 2009-11-05 at 09:24 -0500, Stewart Dean wrote:
> 2726 root@mercury:/var/dcindx ## ls -ald  
> drwx--S--- 3946 dovecot  system       192512 Nov 05 08:59 ./

Don't use "dovecot" user for ANYTHING. It's used internally by login
processes. There should be no files in filesystem owned by dovecot user.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Nov 2009, Stewart Dean wrote:

> So you say that the /var/dcindx permissions should be 1777?  Not 2777?  What

No, not 2777, your "/tmp" is not 2777 either, I guess.

> userid/group should own the directory?

I use root:root.

In fact, because multiple uids (and gids) have to create a directory
there, you have to use a tmp-like directory. "1xxx" means the sticky-bit,
so users may not remove an entry owned by another user. Because root is
owner of /var/dvindex, you have just those two users able to remove: root
and the owning user of the subdir. The user-specific subdirectories should
be 0700 or something like that, so the security is OK. DoS is possible
by filling the partition completely, but this ability is available in
other scenarios as well.

>
> #2:  Under both V1.1 and V1.2, the vast majority of users *can* and have
> created their index directories, but others can't.  How can this be?  This
> shows up as errmsgs like
> Nov  5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds):
> mkdir(/var/dcindx/ahinds/.imap/Apple M
> ail To Do) failed: Permission denied

All I can think of is that:

a) the existing subdirs had be created earlier e.g. by root or migration,

b) those few users use a different group.

IMHO, as soon as you have system users the /var/dcindex must be 1777,
the few exceptions, when all users share a single group, or you can
pre-create the directories are the special cases.

BTW: _If_ you use system users and your account name <-> uid relationship
can change, you should use an template different than /var/dcindex/%u,
e.g.  /var/dcindex/%i, because if a new user with an name already used
in past, but with another uid logs on the server, the uid cannot access
the old /var/dcindex/ahinds tree. The leftover files should not make
much worries, except the subscription perhaps.

Bye,

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSvQCuXWSIuGy1ktrAQIXFQgAwtHVLIpt9Kr+QCulz0NunTdAbtamiMrb
9i2ZVG9Sb5swAYmeRKOHYAWnVIcGA8gPnKDadVuG/+6+ZjDhcapk4MTlb8NzaKNV
6Rwr9I+JYdQI/HnLzHHj+WJxn6bgr5fe21LN1WXgwtIccAbOPSj7mzUih+p0V/RX
ZXpzLHgu6+BrdWdFgmnDUA1nidXCtV8/V9b1b6P4j591yeOnnXs3sJlhoucD3Pyt
Pt/8toXeJJMmxdbTSJME9ov5ZxfQHg8lBxVgB04RvhSP3CN4c3ijLI93heRUub0k
zeG79mS9xfHbXlxDHM4qUsxkOUgZyk7RU6q27arB5HFT3v/J/uVyFQ==
=YhYT
-----END PGP SIGNATURE-----