[PATCH] docs: Fix note about the required Postfix rights
Ali Alnubani
alialnu at mellanox.com
Tue Oct 29 19:08:31 AEDT 2019
Hi Daniel,
> -----Original Message-----
> From: Daniel Axtens <dja at axtens.net>
> Sent: Tuesday, October 29, 2019 8:06 AM
> To: Ali Alnubani <alialnu at mellanox.com>; patchwork at lists.ozlabs.org
> Cc: Thomas Monjalon <thomas at monjalon.net>
> Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
>
> Hi Ali,
>
> > The permissions for the user running the postfix process are not the
> > ones used for external file or command delivery by default.
> > The ones defined by default_privs are (in case the aliases(5) file
> > that is owned by root was being used). A privileged user or the
> > postfix owner should not be used in this case.
> >
> > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
> >
> > Signed-off-by: Ali Alnubani <alialnu at mellanox.com>
> > ---
> > docs/deployment/installation.rst | 10 +++++-----
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/docs/deployment/installation.rst
> > b/docs/deployment/installation.rst
> > index c086d9a..cd5e102 100644
> > --- a/docs/deployment/installation.rst
> > +++ b/docs/deployment/installation.rst
> > @@ -617,11 +617,11 @@ they can be loaded as seen below:
> >
> > .. note::
> >
> > - This assumes your Postfix process is running as the ``nobody`` user. If
> > - this is not correct (use of ``postfix`` user is also common), you should
> > - change both the username in the ``createuser`` command above and
> substitute
> > - the username in the ``grant-all-postgres.sql`` script with the appropriate
> > - alternative.
> > + This assumes that you are using the aliases(5) file that is owned by root,
> > + and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
> > + this is not the case, you should change both the username in the
> ``createuser``
> > + command above and substitute the username in the ``grant-all-
> postgres.sql``
> > + script with the appropriate alternative.
> >
>
> I think this is now the third time I've tried to review this, and I think it's finally
> starting to make sense.
>
> Is there any way local(8) could be invoked with a user other than the one
> specified in default_privs?
Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
http://www.postfix.org/local.8.html
http://www.postfix.org/postconf.5.html#forward_path
>
> btw, it should be grant-all.postgres.sql (a . not a - between all and
> postgres) but if this doesn't need a respin I can fix that when I apply it.
Thanks.
Regards,
Ali
More information about the Patchwork
mailing list