Haraka icon indicating copy to clipboard operation
Haraka copied to clipboard

Published 20 hours ago verified publisher icon haraka

Unable to write queue file, EACCES

Open mildsunrise opened this issue 4 years ago • 4 comments

system info

Haraka Haraka.js — Version: 2.8.24
Node v10.16.0
OS Linux ba33c2ee7ccf 4.15.0-1060-aws #62-Ubuntu SMP Tue Feb 11 21:23:22 UTC 2020 x86_64 GNU/Linux
openssl OpenSSL 1.1.0j 20 Nov 2018

Expected behavior

Sending outbound mail should work.

Observed behavior

Queueing fails:

[ERROR] [-] [core] [outbound] Unable to write queue file (1584147605715_1584147605715_0_19_kSiOk1_2_93af1f9d0b49): Error: EACCES: permission denied, open '/app/queue/__tmp__.1584147605715_1584147605715_0_19_kSiOk1_2_93af1f9d0b49'
[ERROR] [7D41E177-89D3-4D7D-8AA4-7999E1945850.1] [outbound] Queueing failed
[ERROR] [7D41E177-89D3-4D7D-8AA4-7999E1945850.1] [core] Unrecognized response from outbound layer: 903 : Queueing failed

This is because the queue directory is owned by root, but user=<...> has been set in stmpd.ini. Doing chown <UID> queue allows queueing to succeed.

Steps to reproduce

Setup an outbound server using the guide, but add user=<...> and group=<...> to stmp.ini. It seems haraka creates the queue directory automatically, but doesn't set correct permissions/ownership on it?

mildsunrise avatar Mar 14 '20 12:03 mildsunrise

Running Haraka under root is an extremely bad idea. You might want to use setcap to allow it bind to priveleged ports.

Update: actually realized that guide suggests running it as root and it drops privs afterwards to user. It looks like this is a legit bugreport.

celesteking avatar Apr 28 '20 11:04 celesteking

Running Haraka under root is an extremely bad idea

Not true. It was designed specifically to allow it.

For now just chown the queue directory. Is it possible you launched Haraka once without setting a user to in smtp.ini? If not, then it's probably a simple bug - as you say - creating the dir before we drop privileges.

On Tue, Apr 28, 2020 at 7:43 AM celesteking [email protected] wrote:

Running Haraka under root is an extremely bad idea. You might want to use setcap https://gist.github.com/firstdoit/6389682 to allow it bind to priveleged ports.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/haraka/Haraka/issues/2773#issuecomment-620553952, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBWY6ZLUIWUJY7GECZYV3RO26MJANCNFSM4LI6BPXA .

baudehlo avatar Apr 28 '20 13:04 baudehlo

Update: actually realized that guide suggests running it as root and it drops privs afterwards to user. It looks like this is a legit bugreport.

Yes, this is what I was doing :)

For now just chown the queue directory. Is it possible you launched Haraka once without setting a user to in smtp.ini?

Nope, I'm fairly sure this is not the case... I can see how Haraka creates the directory before dropping privileges, it just doesn't chown it.

mildsunrise avatar Apr 28 '20 16:04 mildsunrise

I think chown after creation is the proper solution. It's quite possible that the user Haraka runs as won't have the permissions needed to create or chown the queue dir.

msimerson avatar Apr 28 '20 17:04 msimerson