BUG: Fix permissions fails to fix permissions inside the virtual subserver homes user folders.
Possibly also fails to fix permissions inside the top level virtual server homes user folders.
Why is this a severe bug ?
Wrong ownership of mail folders causes total mail delivery failure.
Reason: owner of folder MUST match expected owner of mailbox that is to be delivered there.
Because Postfix forks to the expected owner of the mailbox before changing into that folder.
Because permissions on the mail user folder, are o+rwx (0700) "owner only is allowed to enter this folder".
If the user that Postfix is rightfully expecting to be allowed to deliver mail to its own folder, is in fact wrongfully NOT the owner of that folder , then mail delivery fails because postfix cannot change to that folder, nor save the new mail item into that folder .
Steps to reproduce:
Set ownership RECURSIVELY on /home/server3/domains/mydomain.com/homes/jacky to the wrong owner, let's make it the top level virtual server owner user,
server3[code] [code]cd /home/server3/domains/mydomain.com/homes chown -R server3 jacky
On virtualmin web interface, click:
Limits and Validation.
Validate Virtual Servers.
Fix Permissions.
All Servers.
Fix permissions now.
Wait a few seconds, until it's done.
Verify the ownership of the homes/jacky.
The ownership inside the homes folder is still incorrect.
Owner should be jacky.mydomain for the folder jacky. This email inbox for jacky@mydomain.com.
Instead, owner of the folder homes/jacky is still server3
This is incorrect owner, therefore, Postfix continues to fail to change into this folder, and fails to deliver mail to jacky@mydomain.com
A very bad bug.
"Fix permissions" should fix the ownership of these critical folders and files inside all top level server homes folders, and sub server homes folders.
Comments
Submitted by andreychek on Wed, 04/15/2015 - 11:36 Comment #1
Howdy -- the Fix Permissions option currently only changes permissions of web-based files, such as the ones in the public_html folder.
It doesn't attempt to change permissions or ownership regarding email accounts.
We were discussing the possibility of adding that feature recently, and that may be added in the near future.
However, in the meantime, if the permissions for the email accounts were incorrectly set they'd need to be manually corrected.
Submitted by Chris_C on Wed, 04/15/2015 - 14:49 Comment #2
This omission/bug - lack of fix of the permissions/ownership of the mail folders - caused total failure of mail for over 24 hours! After a mistake in recursively setting ownership of all files and folders under the sub-sever, to
server3:server3- which works fine for web, but fails catastrophically for mail !The thinking is that - since Virtualmin set the permissions and ownership of the mail folders when it created them, Virtualmin should be easily able to fix the permissions/ownership of the mail folders when the admin clicks "fix permissions".
Submitted by andreychek on Wed, 04/15/2015 - 15:02 Comment #3
If the admin user accidentally changes the permissions for the email users to incorrect permissions, Virtualmin currently will not automatically fix that situation.
Those need to be corrected manually, outside of Virtualmin.
We are looking into whether it's possible to have Virtualmin handle that.
Before we can do that, we need to explore how to avoid unintended consequences, as sometimes people want non-standard permissions for those directories.
I suspect that won't be a problem, we just need to make sure we handle those cases properly, which is what we're looking into now.
Submitted by JamieCameron on Wed, 04/15/2015 - 22:57 Comment #4
Actually, the current release of Virtualmin (4.16) should already fix the ownership of mailbox user home directories. Are you on the latest version?
Submitted by Chris_C on Thu, 04/16/2015 - 13:48 Comment #5
Running Virtualmin 4.16 It's failing to fix ownership and permissions on subserver (and possibly top level server): /home/server3/domains/mydomain.com/homes/jackie
When the admin (incorrectly) sets jackie to ownership sever3:server3, and/or permission other than 700, and run Fix permissions, neither one gets changed by Virtualmin , they stay on the incorrect values.
Expected/correct ownership is: jackie.mydomain:server3 (user).(domain prefix):(top level server group)
Expected fixed permissions is: 700.
It should be recursive - to all subdirectories and files need the owner, group and permissions set/fixed that way.
Submitted by JamieCameron on Thu, 04/16/2015 - 22:27 Comment #6
Currently the permissions fix applies only to the domain you select, and not sub-domains.
From which page in Virtualmin are you running the permissions fix?
Submitted by Chris_C on Fri, 04/17/2015 - 11:13 Comment #7
From the screen Limits and Validation. Validate Virtual Servers. Fix Permissions.
Submitted by Chris_C on Fri, 04/17/2015 - 11:28 Comment #8
Interesting wrinkle to this bug : The "Validate Virtual Servers" does indeed DETECT the wrong ownership of the virtual sub-server mail folder...
BUT The "Fix permissions" fails to correct that ownership...
Submitted by JamieCameron on Fri, 04/17/2015 - 23:29 Comment #9
Is this user normally a "website FTP access" user, who has permissions to upload web content for the domain?
Submitted by Chris_C on Sat, 04/18/2015 - 22:33 Comment #10
The user is a simple "login access: email only" type of user.
This bug case is one where the admin has unintentionally or unknowingly set the ownership of the sub-sever mail user individual folder to be owned by the top level virtual server user.
Submitted by JamieCameron on Sun, 04/19/2015 - 12:22 Comment #11
Ok, I see the issue now - the page for fixing permissions doesn't even list sub-servers, so you don't even have the option to fix the problem domain! I will fix this in the upcoming 4.17 Virtualmin release.
Submitted by Issues on Sun, 05/03/2015 - 12:24 Comment #12
Automatically closed -- issue fixed for 2 weeks with no activity.
Submitted by Issues on Sun, 05/03/2015 - 12:24 Comment #13
Automatically closed -- issue fixed for 2 weeks with no activity.