[PATCH] docs: Fix note about the required Postfix rights

Daniel Axtens dja at axtens.net
Wed Dec 4 17:22:32 AEDT 2019


Stephen Finucane <stephen at that.guru> writes:

> On Tue, 2019-10-29 at 08:08 +0000, Ali Alnubani wrote:
>> Hi Daniel,
>> 
>> > -----Original Message-----
>> > From: Daniel Axtens <dja at axtens.net>
>> > Sent: Tuesday, October 29, 2019 8:06 AM
>> > To: Ali Alnubani <alialnu at mellanox.com>; patchwork at lists.ozlabs.org
>> > Cc: Thomas Monjalon <thomas at monjalon.net>
>> > Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
>> > 
>> > Hi Ali,
>> > 
>> > > The permissions for the user running the postfix process are not the
>> > > ones used for external file or command delivery by default.
>> > > The ones defined by default_privs are (in case the aliases(5) file
>> > > that is owned by root was being used). A privileged user or the
>> > > postfix owner should not be used in this case.
>> > > 
>> > > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
>> > > 
>> > > Signed-off-by: Ali Alnubani <alialnu at mellanox.com>
>> > > ---
>> > >  docs/deployment/installation.rst | 10 +++++-----
>> > >  1 file changed, 5 insertions(+), 5 deletions(-)
>> > > 
>> > > diff --git a/docs/deployment/installation.rst
>> > > b/docs/deployment/installation.rst
>> > > index c086d9a..cd5e102 100644
>> > > --- a/docs/deployment/installation.rst
>> > > +++ b/docs/deployment/installation.rst
>> > > @@ -617,11 +617,11 @@ they can be loaded as seen below:
>> > > 
>> > >  .. note::
>> > > 
>> > > -   This assumes your Postfix process is running as the ``nobody`` user.  If
>> > > -   this is not correct (use of ``postfix`` user is also common), you should
>> > > -   change both the username in the ``createuser`` command above and
>> > substitute
>> > > -   the username in the ``grant-all-postgres.sql`` script with the appropriate
>> > > -   alternative.
>> > > +   This assumes that you are using the aliases(5) file that is owned by root,
>> > > +   and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
>> > > +   this is not the case, you should change both the username in the
>> > ``createuser``
>> > > +   command above and substitute the username in the ``grant-all-
>> > postgres.sql``
>> > > +   script with the appropriate alternative.
>> > > 
>> > 
>> > I think this is now the third time I've tried to review this, and I think it's finally
>> > starting to make sense.
>> > 
>> > Is there any way local(8) could be invoked with a user other than the one
>> > specified in default_privs?
>> 
>> Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
>> http://www.postfix.org/local.8.html
>> http://www.postfix.org/postconf.5.html#forward_path 
>> 
>> > btw, it should be grant-all.postgres.sql (a . not a - between all and
>> > postgres) but if this doesn't need a respin I can fix that when I apply it.
>
> ngl, this doesn't make a whole lot of sense to me, but I trust that
> you've done your homework on this and that it's based on hard earned
> experience :)

Yeah, I was contemplating a slightly wider-ranging rewrite but could
never quite put pen to paper on how to do it. I agree that just apply it
is the way to go.

>
> Reviewed-by: Stephen Finucane <stephen at that.guru>
>
> and applied (with the change noted by Daniel).
>
>> Thanks.
>> 
>> Regards,
>> Ali


More information about the Patchwork mailing list