Ubuntu
cyrus-sasl2 package

Ownership of /etc/sasl2db is root:root instead of root:sasl

Bug #288478 reported by cwsupport
6
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Fix Released
Undecided
Robbie Williamson
cyrus-sasl2 (Ubuntu)
Fix Released
High
Unassigned
Intrepid
Won't Fix
High
Unassigned
Ubuntu intrepid-updates
Jaunty
Fix Released
High
Unassigned

Bug Description

Binary package hint: sasl2-bin

Ubuntu: 8.04.1
Version: 2.1.22.dfsg1-18ubuntu2

The Cyrus IMAP server runs as the user cyrus. But the /etc/sasl2db does not provide sufficient permissions for direct access by the IMAP server. saslauthd has no problems as it runs as root.

This file needs to be in the sasl group so that uses of the DB can access it. This will also break Postfix's use of cyrus-sasl2 for SMTP Auth.

See original description
Revision history for this message
Scott Kitterman (kitterman) wrote :

Adding cyrus to the sasl group should also solve it. I don't think this is an actual bug in cyrus-sasl2.

Revision history for this message
cwsupport (netsupport) wrote : Re: [Bug 288478] Re: Ownership of /etc/sasl2db precludes direct access by Cyrus IMAP

Hi,

Im not sure that will help as the permissions of the installed sasldb
are root.root with no acl on it.

Perhaps the issue is two-fold, the cyrus-common-2.2 install (which I
think creates the user) should include the sasl group permission for the
cyrus user, and cyrus-sasl2 should correct the group access on the
/etc/sasldb2 file to be root.sasl ?

Is it expected that all access will go through saslauthd? I used to run
this but changed to having the imap service access the sasldb directly
which saves memory etc as there is no need for me to run the saslauthd
service at all.

Or does this come under one of those cross-package configuration issues
that are basically resolved by hand?

Cheers,
Barry

Scott Kitterman wrote:
> Adding cyrus to the sasl group should also solve it. I don't think this
> is an actual bug in cyrus-sasl2.
>
>

--
Sincerely Yours

Copyright Witness Net Support
<email address hidden>

www.copyrightwitness.com
Registration centre for copyright works.

This e-mail and any attachments are confidential and intended for the addressee only.
The information in this mail does not amount to legal advice or opinion. Any views or legal references are those of the author and are based on personal opinion or understanding only.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 288478] Re: Ownership of /etc/sasl2db precludes direct access by Cyrus IMAP

Interesting. I checked a couple of my boxes and it was in the sasl group.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: Ownership of /etc/sasl2db precludes direct access by Cyrus IMAP

OK. Confirmed. All the boxes I have were upgraded from Hardy. If I remove /etc/sasldb2 and recreate it in Intrepid it's root:root. If I do it on a Hardy box it's root:sasl.

description: updated
Revision history for this message
cwsupport (netsupport) wrote : Re: [Bug 288478] Re: Ownership of /etc/sasl2db precludes direct access by Cyrus IMAP

Hi,

The cyrus user *is* in the sasl group. However the permissions on
/etc/sasldb2 are root.root.
I believe this should either be cryus.sasl or as a minimum root.sasl

TTFN
Barry

Scott Kitterman wrote:
> Interesting. I checked a couple of my boxes and it was in the sasl
> group.
>
>

--
Sincerely Yours

Copyright Witness Net Support
<email address hidden>

www.copyrightwitness.com
Registration centre for copyright works.

This e-mail and any attachments are confidential and intended for the addressee only.
The information in this mail does not amount to legal advice or opinion. Any views or legal references are those of the author and are based on personal opinion or understanding only.

Scott Kitterman (kitterman)
Changed in cyrus-sasl2:
importance: Undecided → High
milestone: none → intrepid-updates
status: New → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Proposed release note:

Cyrus SASL creates the database for its sasldb2 plugin with incorrect permissions. As a result, other users of this database, such as cyrus-imap, will not be able to access it and will fail. This does not affect upgrades of existing databases from a previous release. The work-around is to manually change the group of /etc/sasldb2 to sasl:

$ sudo chgrp sasl /etc/sasldb2

See Bug #288478 for details.

Revision history for this message
Robbie Williamson (robbiew) wrote :

Updated Intrepid release notes with statement above.

Robbie Williamson (robbiew)
Changed in ubuntu-release-notes:
assignee: nobody → robbie.w
status: New → Fix Released
Steve Langasek (vorlon)
Changed in cyrus-sasl2:
milestone: intrepid-updates → none
Revision history for this message
Steve Langasek (vorlon) wrote :

I can't find anything in the package diff to explain this regression *or* the fix, but I've tested an install of the package on jaunty and the permissions on /etc/sasldb2 are set correctly by default; so I think this should be considered resolved for jaunty.

Changed in cyrus-sasl2:
status: Confirmed → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

Thank you for reporting this bug to Ubuntu. Intrepid Ibex 8.10 reached EOL on 30 March 2010.
Please see this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.
Thank you.

Changed in cyrus-sasl2 (Ubuntu Intrepid):
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

I realized I had made a mistake, Intrepid Ibex 8.10 "will reach" EOL on 30 "APRIL" 2010.

Sorry for this.

Anyway, I think that one month doesn't make any difference now.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.