Skip to content

fix: Ensure DMS config volume can be accessed by non-root users#4487

Merged
polarathene merged 3 commits intomasterfrom
fix/dms-config-vol-access-by-nonroot
May 23, 2025
Merged

fix: Ensure DMS config volume can be accessed by non-root users#4487
polarathene merged 3 commits intomasterfrom
fix/dms-config-vol-access-by-nonroot

Conversation

@polarathene
Copy link
Copy Markdown
Member

@polarathene polarathene commented May 22, 2025
edited
Loading

Description

This is similar to a recent fix for the DMS state volume, where a non-root user needs access but the host directory mounted has mistakenly been too aggressive with permissions for the directory (one known example is AWS ECS (EC2) using EBS volumes).

It appears that Rspamd support with DKIM at least expects this due to running operations as the _rspamd user to read content from the DMS config volume. In future this concern shouldn't be the case, as the root user during setup could make internal copies that anything running as _rspamd should instead interact with.

However since this is not always an obvious failure (various unresolved reports in the past were tripped up by this for the state volume), the fix is probably worth adding? (makes me wonder if similar is prone to our other volumes too then 🤔)

NOTE: While we only need chmod o+x, we can use chmod +x here as unlike other permissions like +w it appears to apply +x to ugo by default.

Fixes: #4485

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • New and existing unit tests pass locally with my changes
  • I have added information about changes made in this PR to CHANGELOG.md

@polarathene polarathene added this to the v15.1.0 milestone May 22, 2025
@polarathene polarathene self-assigned this May 22, 2025
@polarathene
Copy link
Copy Markdown
Member Author

polarathene commented May 22, 2025

I've added a separate DMS_CONFIG_DIR variable instead of referencing /tmp/docker-mailserver directly, I could remove that, but we may want to consider at some point having a global var for this location as at some point it probably shouldn't be /tmp/docker-mailserver 🤔

@polarathene polarathene mentioned this pull request May 22, 2025
Closed
1 task
@polarathene polarathene merged commit f6381d3 into master May 23, 2025
7 checks passed
@polarathene polarathene deleted the fix/dms-config-vol-access-by-nonroot branch May 23, 2025 04:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@casperklein casperklein casperklein approved these changes

@georglauterbach georglauterbach Awaiting requested review from georglauterbach

Assignees

@polarathene polarathene

Labels

area/scripts kind/bug/fix A fix (PR) for a confirmed bug service/security/rspamd

Projects

None yet

Milestone

v15.1.0

Development

Successfully merging this pull request may close these issues.

bug report: rspamd cant load DKIM key

2 participants

@polarathene @casperklein