#903161 net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

Package:
dovecot-core
Source:
dovecot
Description:
secure POP3/IMAP server - core files
Submitter:
Marcus Frings
Date:
2022-05-08 20:09:03 UTC
Severity:
important
#903161#5
Date:
2018-07-07 10:46:03 UTC
From:
To:
Since dovecot 2.3 has entered sid, my nightly cron runs of doveadm (as
user) produce the error message, which is shown in the subject.

This has already been reported upstream:
https://www.dovecot.org/list/dovecot/2018-January/110549.html

(My situation is the same as described in the original upstream report!)

A solution has also been provided by the developers:
https://www.dovecot.org/list/dovecot/2018-January/110552.html

Hence, please consider changing the socket permissions (as suggested by
upstream) in the next package upgrade of dovecot.

#903161#14
Date:
2018-11-25 18:22:11 UTC
From:
To:
Hi,

Thanks for the report and apologies for the late response.

The issue described in the upstream mailing list is a bit different, as
it applies to dovecot 2.3.1. Dovecot 2.3.1 by default set the
stats-writer permissions to root:root, 0600. In 2.3.2 this was relaxed
to root:dovecot, 0660, which means that if you add your plain user to
the dovecot group, doveadm should work fine. Can you try this out? If it
works, I'll add a note in README.Debian about running doveadm as
non-root.

Thanks,
Apollon

#903161#21
Date:
2018-11-26 10:29:05 UTC
From:
To:
Hi Apollon,

I reverted my manual change of permissions
for /var/run/dovecot/stats-writer from 666 (suggested at the dovecot
mailing list) to 660 (Debian's current default) and added my
user to the dovecot group: I can confirm that running doveadm as normal
user now allows the nightly maintenance work (such as expunging mails).
Hence, it seems to work fine.

But do you think that this is the way to go (to add ordinary users to
the dovecot group)?

Best regards,
Marcus

#903161#26
Date:
2018-11-26 10:57:08 UTC
From:
To:
system to submit dovecot stats or not? For some people it might be okay
to just change permissions to 0666. OTOH, upstream seems to be more
conservative about this.

Regarding the dovecot group, upstream notes the following:

  commit 5cf6951e37bd37bb11b3335a3dbd029065143454
  Author: Timo Sirainen <timo.sirainen@dovecot.fi>
  Date:   Wed Feb 7 13:03:23 2018 +0200

      master: Add default_internal_group setting, defaulting to "dovecot"

      It's expected that this is the primary group of the default_internal_user.

      This group will be used to provide access to sockets that are generally
      required by all Dovecot processes, but aren't safe enough to be allowed
      completely open access from untrusted processes.

So, it looks like the intention is precisely to allow more fine-grained
access control for certain sockets.

Finally, bear in mind that doveadm is an administrative tool and not
meant to be run by "regular" users. For instance, it will fail if the
user invoking it does not have read permissions on all files under
/etc/dovecot/conf.d.

Regards,
Apollon

#903161#31
Date:
2018-11-26 12:40:07 UTC
From:
To:
Hi Apollon,

On Mon, 26 Nov 2018 12:57:08 +0200, Apollon Oikonomopoulos <apoikos@debian.org> wrote:

Yes, I agree and see your point. Thanks for the additional information
by providing the upstream commit notes with respect to this issue. So
maybe it's the best solution to add a few lines to README.Debian as you
initially suggested.

Best regards,
Marcus

#903161#36
Date:
2019-07-29 15:49:32 UTC
From:
To:
Please also see related documentation bug ticket #933330
#903161#41
Date:
2019-08-29 00:43:28 UTC
From:
To:
I ran into a similar issue here, whenever I ran the "deliver" process as
a user to deliver mail into IMAP folders (invoked from getmail).
"deliver" delivered the mail but then produces the error about writing
statistics, so getmail correctly concluded that the process errored.

I don't want to make statistics-writing available to all users. I don't
actually care about the statistics. So I figured out how to disable
statistics.

I found this commit in the changelog:

2017-12-22 13:27:48 +0200 Timo Sirainen <timo.sirainen@dovecot.fi> (aa572aa74)

    lib-master: Hide connect(stats-writer) errors when running via CLI

    Only hide errors that occur if the stats process isn't running, i.e. when
    socket isn't found or there's no listener. This way e.g. permission errors
    are still logged, which points to a wrong configuration.


So if the stats sockets don't exist at *all*, deliver won't complain.

To disable those stats sockets, add the following configuration to a
file in /etc/dovecot/conf.d/ :

service stats {
  unix_listener stats-reader {
    mode = 0
  }
  unix_listener stats-writer {
    mode = 0
  }
}

service old-stats {
  fifo_listener old-stats-mail {
    mode = 0
  }
  fifo_listener old-stats-user {
    mode = 0
  }
  unix_listener old-stats {
    mode = 0
  }
}

(Per https://wiki2.dovecot.org/Services , setting mode to 0 disables the
socket entirely.)

Then restart dovecot, and then delete /run/dovecot/stats-* and
/run/dovecot/old-stats-*. You can then run deliver without errors.

Hope that helps.

#903161#46
Date:
2019-08-29 00:57:18 UTC
From:
To:
spurious errors in the logs:

Aug 28 17:54:27 cloud dovecot[3168]: imap-login: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory
Aug 28 17:54:27 cloud dovecot[3168]: auth: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory
Aug 28 17:54:27 cloud dovecot[3168]: auth: Error: stats: open(old-stats-user) failed: No such file or directory
Aug 28 17:54:28 cloud dovecot[3168]: auth: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory
Aug 28 17:54:28 cloud dovecot[3168]: auth-worker(3182): Error: stats: open(old-stats-user) failed: No such file or directory
Aug 28 17:54:28 cloud dovecot[3168]: imap: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or directory

So while deliver has no problem ignoring such errors, the rest of
dovecot unfortunately doesn't like that configuration.

I'd like to have a "disable all stats" configuration, rather than having
to make a stats socket available to the user running deliver.

#903161#51
Date:
2019-08-29 10:08:32 UTC
From:
To:

#903161#56
Date:
2019-08-29 17:49:04 UTC
From:
To:
Interesting! I'll try that and see how it goes.
#903161#61
Date:
2019-11-19 15:11:55 UTC
From:
To:
I tried the different methods suggested in this bug report, but had
no success with any of them.

Using

  stats_writer_socket_path=

causes "doveadm index" to fail with

 bjorn@canardo:~$ doveadm index -q -u bjorn INBOX.Spam
 doveadm(bjorn): Error: net_connect_unix() failed: Connection refused

This can probably be worked around.  But I'd prefer too many hacks just
to make stuff work again...

For now I ended up using:

service stats {
  unix_listener stats-writer {
    mode = 0666
  }
}


I don't want to add mail users to the dovecot group. It's unclear to me
what privileges this will result in now and in the future. And I don't
want to maintain yet another mail user group anyway.

This mess should really be sorted out.  Either there should be a way to
easily disable the stats service, or using it should be allowed for all
currently unprivileged operations.  By default.



Bjørn

#903161#66
Date:
2020-04-12 13:45:22 UTC
From:
To:
I use Dovecot 1:2.3.4.1-5+deb10u1 on Debian 10. Setting
"stats_writer_socket_path=" does not resolve the issue in my case, I
also get "net_connect_unix() failed". The following patch is supposed
to fix the issue:

https://dovecot.org/pipermail/dovecot/2019-January/114170.html
https://github.com/dovecot/core/commit/3fdb968687bf896a3e13c846e5eb6f0310dff65b

Can this patch be included in Dovecot on Debian 10?

Best regards.

#903161#73
Date:
2022-05-08 20:04:31 UTC
From:
To:
https://github.com/dovecot/core/commit/3fdb968687bf896a3e13c846e5eb6f0310dff65b

Has there been any updates that should fix this issue?

Thanks.