[PATCH] docs: Fix note about the required Postfix rights
alialnu at mellanox.com
Tue Oct 29 19:08:31 AEDT 2019
> -----Original Message-----
> From: Daniel Axtens <dja at axtens.net>
> Sent: Tuesday, October 29, 2019 8:06 AM
> To: Ali Alnubani <alialnu at mellanox.com>; patchwork at lists.ozlabs.org
> Cc: Thomas Monjalon <thomas at monjalon.net>
> Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
> Hi Ali,
> > The permissions for the user running the postfix process are not the
> > ones used for external file or command delivery by default.
> > The ones defined by default_privs are (in case the aliases(5) file
> > that is owned by root was being used). A privileged user or the
> > postfix owner should not be used in this case.
> > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
> > Signed-off-by: Ali Alnubani <alialnu at mellanox.com>
> > ---
> > docs/deployment/installation.rst | 10 +++++-----
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> > diff --git a/docs/deployment/installation.rst
> > b/docs/deployment/installation.rst
> > index c086d9a..cd5e102 100644
> > --- a/docs/deployment/installation.rst
> > +++ b/docs/deployment/installation.rst
> > @@ -617,11 +617,11 @@ they can be loaded as seen below:
> > .. note::
> > - This assumes your Postfix process is running as the ``nobody`` user. If
> > - this is not correct (use of ``postfix`` user is also common), you should
> > - change both the username in the ``createuser`` command above and
> > - the username in the ``grant-all-postgres.sql`` script with the appropriate
> > - alternative.
> > + This assumes that you are using the aliases(5) file that is owned by root,
> > + and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
> > + this is not the case, you should change both the username in the
> > + command above and substitute the username in the ``grant-all-
> > + script with the appropriate alternative.
> I think this is now the third time I've tried to review this, and I think it's finally
> starting to make sense.
> Is there any way local(8) could be invoked with a user other than the one
> specified in default_privs?
Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
> btw, it should be grant-all.postgres.sql (a . not a - between all and
> postgres) but if this doesn't need a respin I can fix that when I apply it.
More information about the Patchwork