Skip to content

bugfix: special bits for maildrop and public directory#3149

Merged
polarathene merged 4 commits intomasterfrom
fix/postfix-spool-permissions
Mar 5, 2023
Merged

bugfix: special bits for maildrop and public directory#3149
polarathene merged 4 commits intomasterfrom
fix/postfix-spool-permissions

Conversation

@georglauterbach
Copy link
Copy Markdown
Member

@georglauterbach georglauterbach commented Mar 4, 2023

Description

After changing the group, special bits are lost, but they should be set for the directories /var/spool/postfix/{maildrop,public}, otherwise you see the following error:

postfix/postdrop[17400]: warning: mail_queue_enter: create file maildrop/729504.17400: Permission denied

The web page https://linux.m2osw.com/snapwebsites-postfixpostdrop18189-warning-mailqueueenter-create-file-maildrop25937318189-permission provides the solution to restoring the correct permissions.

This is a blocker for v12.0.0.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (README.md or the documentation under docs/)
  • If necessary I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@georglauterbach
fixed special bits for maildrop and public dir
b2527d0 
After changing the group, special bits are lost, but they should be set
for the directories `/var/spool/postfix/{maildrop,public}`, otherwise
you see the following error:

postfix/postdrop[17400]: warning: mail_queue_enter: create file maildrop/729504.17400: Permission denied

This page: https://linux.m2osw.com/snapwebsites-postfixpostdrop18189-warning-mailqueueenter-create-file-maildrop25937318189-permission
provides the solution to restoring the correct permissions.
@georglauterbach georglauterbach added this to the v12.0.0 milestone Mar 4, 2023
@georglauterbach georglauterbach self-assigned this Mar 4, 2023
casperklein
casperklein previously approved these changes Mar 4, 2023
View reviewed changes
@georglauterbach georglauterbach changed the title fixed special bits for maildrop and public dir bugfix: special bits for maildrop and public directory Mar 4, 2023
polarathene
polarathene requested changes Mar 4, 2023
View reviewed changes
Comment thread target/scripts/startup/setup.d/mail_state.sh Outdated
@polarathene
Copy link
Copy Markdown
Member

polarathene commented Mar 4, 2023 

postfix/postdrop[17400]: warning: mail_queue_enter: create file maildrop/729504.17400: Permission denied

How does postdrop / maildrop get triggered btw? We don't configure it in master.cf.

EDIT: This was from me recalling removing maildrop in master.cf a while back, but looking that PR up I point out they're not the same thing 😅

They're explained in Postfix docs for anyone curious:

For reference postfix installed on Alpine has maildrop/ permissions of 0730 🤷‍♂️

Perhaps see if it works with 1730, like it is by default in Debian, otherwise if really does need 3730 ok then 👍

@polarathene
Copy link
Copy Markdown
Member

polarathene commented Mar 5, 2023
edited
Loading

I found this mailing list discussion from 8 years ago which directs us to post-install and postfix-files. It's a bit hard for me to follow how it gets 2710 from there instead of 0710 though. There's three commands that are set 2755 though, one of them is postdrop ($command_directory maps to /usr/sbin/ I think?).

postfix check doesn't raise any issues about the lack of special permissions.

A long time ago there was a Postfix release announcement (2002) that mentioned chmod 1733 /var/spool/postfix/maildrop which is pretty close.

No /var/mail-state volume, using chgrp isn't stripping the permission bits?:

$ chgrp amavis /var/spool/postfix/{maildrop,public}
$ stat -c '%a %A %n' /var/spool/postfix/{maildrop,public}
1730 drwx-wx--T /var/spool/postfix/maildrop
2710 drwx--s--- /var/spool/postfix/public

$ ls -l /var/spool/postfix/ | grep -E 'maildrop|public'
drwx-wx--T 1 postfix amavis    6 Mar  5 03:03 maildrop
drwx--s--- 1 postfix amavis  110 Mar  5 03:28 public

I looked into why, and it turns out that this is due to a syscall, so is dependent upon the kernel rather than anything we control within the container 🤔

I'm having trouble finding a source on the proposed 3730 + 2730 changes. It seems we should just match what we're getting with Debian unless there is reason that doesn't work?

I did find plenty of users reporting 1730 working for them with the same error, more than those using 3730.

@polarathene
fix: Match octal permissions originally provided
85a3216 
Officially Postfix source seems to imply:
- `730` for `maildrop/` (_but has mentioned a sticky bit in the past, set-gid bit only for the postdrop binary involved_)
- `710` for `public/`, which like `maildrop/` has the same group that needs SGID, that is `postdrop`. SGID special bit on`public/` doesn't seem necessary, but left as-is to match Debian default.
polarathene
polarathene reviewed Mar 5, 2023
View reviewed changes
Comment thread target/scripts/startup/setup.d/mail_state.sh Outdated
polarathene
polarathene approved these changes Mar 5, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@polarathene polarathene left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

I've also included a reference to this PR since refactoring efforts have not made git blame hunting a fun time 😅

Plenty of resources linked in this PR discussion to provide additional clarity (like the syscall gotcha) just in case future maintainers thought it was no longer needed 😅

@polarathene polarathene merged commit 4e9ffbf into master Mar 5, 2023
@polarathene polarathene deleted the fix/postfix-spool-permissions branch March 5, 2023 07:57
@georglauterbach
Copy link
Copy Markdown
Member Author

georglauterbach commented Mar 5, 2023

Fix seems to be working on my setup ❤️ - I will monitor it though :)

@polarathene polarathene mentioned this pull request Sep 30, 2023
Open
@georglauterbach georglauterbach mentioned this pull request Nov 5, 2023
Closed
1 task
@georglauterbach
Copy link
Copy Markdown
Member Author

georglauterbach commented Nov 7, 2023

Turns out this issue was caused by allowPrivilegeEscalation: false in my setup, which caused the postdrop binary to run as another user.. Follow-up is #3619

@polarathene polarathene mentioned this pull request Nov 8, 2023
Merged
8 tasks
@polarathene polarathene mentioned this pull request Jun 21, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@casperklein casperklein casperklein left review comments

@polarathene polarathene polarathene approved these changes

Assignees

@georglauterbach georglauterbach

Labels

area/scripts priority/high service/postfix

Projects

None yet

Milestone

v12.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@georglauterbach @polarathene @casperklein