dovecot cannot drop privileges inside singularity container

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

dovecot cannot drop privileges inside singularity container

cesco
Hi all

I'm facing an issue while running dovecot inside a singularity
(https://sylabs.io/singularity/) container

dovecot version is 2.3.4.1 (configuration below) running on debian
buster, inside a container made with singularity version 3.4.2

unfortunately, when I try to start dovecot, it gives:
Singularity test.sif:~> cat /var/log/mail.log
Dec 30 17:23:38 testnode dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4)
starting up for imap, lmtp, sieve, pop3, submission (core dumps disabled)
Dec 30 17:23:38 testnode dovecot: anvil: Fatal: We couldn't drop root
privileges
Dec 30 17:23:38 testnode dovecot: master: Error: service(anvil): command
startup failed, throttling for 2 secs

the same happens on singularity containers based on debian bullseye or
alpine linux 3.9.2

many thanks!
nzasch

Singularity test.sif:~> doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2
# Hostname: testnode.example.net
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve pop3 submission"
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
Reply | Threaded
Open this post in threaded view
|

RE: dovecot cannot drop privileges inside singularity container

Marc Roos

Have you tried setting linux capabilities, like
NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the
permissions of paths? I had to relocate the run dir with things like
these

    && mkdir /var/dovecot \
    && mkdir /var/lib/dovecot \
    && (umask 027 ; mkdir /var/dovecot/login) \
    && (umask 022 ; mkdir /var/dovecot/empty) \
    && (umask 027 ; mkdir /var/dovecot/token-login)



 

-----Original Message-----
From: cesco [mailto:[hidden email]]
Sent: 30 December 2019 18:32
To: [hidden email]
Subject: dovecot cannot drop privileges inside singularity container

Hi all

I'm facing an issue while running dovecot inside a singularity
(https://sylabs.io/singularity/) container

dovecot version is 2.3.4.1 (configuration below) running on debian
buster, inside a container made with singularity version 3.4.2

unfortunately, when I try to start dovecot, it gives:
Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode
dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap,
lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38
testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30
17:23:38 testnode dovecot: master: Error: service(anvil): command
startup failed, throttling for 2 secs

the same happens on singularity containers based on debian bullseye or
alpine linux 3.9.2

many thanks!
nzasch

Singularity test.sif:~> doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version
0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname:
testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve pop3 submission"
ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir =
/etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden,
use -P to show it userdb {
  driver = passwd
}


Reply | Threaded
Open this post in threaded view
|

Re: dovecot cannot drop privileges inside singularity container

cesco
Hi,

thank you for your response.

seems that singularity does not limit capabilities in containers running
as root. the capabilities are the same inside and outside of the container.

the only difference is that inside the container the securebit
SECURE_NO_SETUID_FIXUP is set and locked
if this is the reason, perhaps I should find a way to change this
securebit setting in singularity

thanks
nzasch

On 02/01/20 13:11, Marc Roos wrote:

>
> Have you tried setting linux capabilities, like
> NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the
> permissions of paths? I had to relocate the run dir with things like
> these
>
>     && mkdir /var/dovecot \
>     && mkdir /var/lib/dovecot \
>     && (umask 027 ; mkdir /var/dovecot/login) \
>     && (umask 022 ; mkdir /var/dovecot/empty) \
>     && (umask 027 ; mkdir /var/dovecot/token-login)
>
>
>
>  
>
> -----Original Message-----
> From: cesco [mailto:[hidden email]]
> Sent: 30 December 2019 18:32
> To: [hidden email]
> Subject: dovecot cannot drop privileges inside singularity container
>
> Hi all
>
> I'm facing an issue while running dovecot inside a singularity
> (https://sylabs.io/singularity/) container
>
> dovecot version is 2.3.4.1 (configuration below) running on debian
> buster, inside a container made with singularity version 3.4.2
>
> unfortunately, when I try to start dovecot, it gives:
> Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode
> dovecot: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap,
> lmtp, sieve, pop3, submission (core dumps disabled) Dec 30 17:23:38
> testnode dovecot: anvil: Fatal: We couldn't drop root privileges Dec 30
> 17:23:38 testnode dovecot: master: Error: service(anvil): command
> startup failed, throttling for 2 secs
>
> the same happens on singularity containers based on debian bullseye or
> alpine linux 3.9.2
>
> many thanks!
> nzasch
>
> Singularity test.sif:~> doveconf -n
> # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version
> 0.5.4 () # OS: Linux 4.19.0-6-amd64 x86_64 Debian 10.2 # Hostname:
> testnode.example.net mail_location = mbox:~/mail:INBOX=/var/mail/%u
> mail_privileged_group = mail managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   driver = pam
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = " imap lmtp sieve pop3 submission"
> ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir =
> /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden,
> use -P to show it userdb {
>   driver = passwd
> }
>
>