[PATCH] docs: Fix note about the required Postfix rights

Ali Alnubani alialnu at mellanox.com
Tue Oct 29 19:08:31 AEDT 2019


Hi Daniel,

> -----Original Message-----
> From: Daniel Axtens <dja at axtens.net>
> Sent: Tuesday, October 29, 2019 8:06 AM
> To: Ali Alnubani <alialnu at mellanox.com>; patchwork at lists.ozlabs.org
> Cc: Thomas Monjalon <thomas at monjalon.net>
> Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
> 
> Hi Ali,
> 
> > The permissions for the user running the postfix process are not the
> > ones used for external file or command delivery by default.
> > The ones defined by default_privs are (in case the aliases(5) file
> > that is owned by root was being used). A privileged user or the
> > postfix owner should not be used in this case.
> >
> > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
> >
> > Signed-off-by: Ali Alnubani <alialnu at mellanox.com>
> > ---
> >  docs/deployment/installation.rst | 10 +++++-----
> >  1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/docs/deployment/installation.rst
> > b/docs/deployment/installation.rst
> > index c086d9a..cd5e102 100644
> > --- a/docs/deployment/installation.rst
> > +++ b/docs/deployment/installation.rst
> > @@ -617,11 +617,11 @@ they can be loaded as seen below:
> >
> >  .. note::
> >
> > -   This assumes your Postfix process is running as the ``nobody`` user.  If
> > -   this is not correct (use of ``postfix`` user is also common), you should
> > -   change both the username in the ``createuser`` command above and
> substitute
> > -   the username in the ``grant-all-postgres.sql`` script with the appropriate
> > -   alternative.
> > +   This assumes that you are using the aliases(5) file that is owned by root,
> > +   and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
> > +   this is not the case, you should change both the username in the
> ``createuser``
> > +   command above and substitute the username in the ``grant-all-
> postgres.sql``
> > +   script with the appropriate alternative.
> >
> 
> I think this is now the third time I've tried to review this, and I think it's finally
> starting to make sense.
> 
> Is there any way local(8) could be invoked with a user other than the one
> specified in default_privs?

Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
http://www.postfix.org/local.8.html
http://www.postfix.org/postconf.5.html#forward_path 

> 
> btw, it should be grant-all.postgres.sql (a . not a - between all and
> postgres) but if this doesn't need a respin I can fix that when I apply it.
Thanks.

Regards,
Ali


More information about the Patchwork mailing list