diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 7ae40a0092..da45bc2b97 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -239,6 +239,7 @@ effinger egid EID Eing +eip ekh emacs emaillookup @@ -868,6 +869,7 @@ seqno SERVERBUG servermetadata SETACTIVE +setcap setcred setra setspn diff --git a/source/configuration_manual/howto/rootless.rst b/source/configuration_manual/howto/rootless.rst index 1c7febdf59..82aa48ccec 100644 --- a/source/configuration_manual/howto/rootless.rst +++ b/source/configuration_manual/howto/rootless.rst @@ -48,6 +48,25 @@ example configuration file exists in ``~/dovecot/share/doc/dovecot/example-config/`` and needs to be copied to ``~/dovecot/etc/dovecot/``. +Add capabilities +---------------- + +Modern linux systems support capabilities which allows you to permit +selective rights to processes. This allows you to run dovecot rootless +without losing chroot and privileged ports. + +Use following commands to enable this + +.. code:: bash + + setcap cap_sys_chroot,cap_net_bind_service+eip ~/dovecot/libexec/dovecot/submission-login + setcap cap_sys_chroot,cap_net_bind_service+eip ~/dovecot/libexec/dovecot/pop3-login + setcap cap_sys_chroot,cap_net_bind_service+eip ~/dovecot/libexec/dovecot/imap-login + setcap cap_sys_chroot,cap_net_bind_service+eip ~/dovecot/libexec/dovecot/lmtp + setcap cap_sys_chroot+eip ~/dovecot/libexec/dovecot/anvil + # if you have installed managesieve + setcap cap_sys_chroot+eip ~/dovecot/libexec/dovecot/managesieve-login + Configuration ------------- @@ -61,7 +80,8 @@ The important settings to change for rootless installation are: default_login_user = user default_internal_group = group -- Remove default chrooting from all services: +- Remove default chrooting from all services, this is optional if you want + to use Linux capabilities instead. :: @@ -75,7 +95,8 @@ The important settings to change for rootless installation are: chroot = } -- Change listener ports: +- Change listener ports, this is optional if you want to use Linux + capabilities instead ::