Ownership/Permissions of /var/spool/postfix

Discussion:

(too old to reply)

Rich Shepard

2015-08-06 18:02:46 UTC

During the most recent upgrade I inadvertently altered owner, group,
and/or permissions in /var/spool/postfix. I've looked for information in all
the README files that seemed applicable but have not found a list of how
/var/spool/postfix subdirectories should be set. Please point me to a doc
that has this information.

While 'postfix check' shows no errors, when I run mailx from the command
line I get warnings about an inability to write to
/var/spool/postfix/maildrop. That subdirectory is configured as:

drwxr-sr-x 2 postfix postdrop 12288 Aug 6 09:55 maildrop/

and so is public/

drwx--s--- 2 postfix postdrop 4096 Aug 6 10:22 public/

I want a list of owners, groups, and permissions I can keep here so I can
repair inadvertent changes during future upgrades.

Rich

Michael J Wise

2015-08-06 18:24:38 UTC

Permalink

Post by Rich Shepard
During the most recent upgrade I inadvertently altered owner, group,
and/or permissions in /var/spool/postfix. I've looked for information in
all
the README files that seemed applicable but have not found a list of how
/var/spool/postfix subdirectories should be set. Please point me to a doc
that has this information.
While 'postfix check' shows no errors, when I run mailx from the
command
line I get warnings about an inability to write to
drwxr-sr-x 2 postfix postdrop 12288 Aug 6 09:55 maildrop/

Needs Group Write.
See that little "s"?
That's special.

Postfix uses a very interesting trick of having the executables set the
GroupID when being run as the user, and this allows them to get into
directories when the user they are running as normally cannot.

sudo chmod +wg ./maildrop

... if memory serves.

Post by Rich Shepard
and so is public/
drwx--s--- 2 postfix postdrop 4096 Aug 6 10:22 public/
I want a list of owners, groups, and permissions I can keep here so I
can
repair inadvertent changes during future upgrades.
Rich

Aloha mai Nai`a.

--
" So this is how Liberty dies ... http://kapu.net/~mjwise/
" To Thunderous Applause.

Rich Shepard

2015-08-06 18:28:41 UTC

Permalink

Post by Michael J Wise
Needs Group Write.

Michael,

Ah, I should have seen that.

Post by Michael J Wise
See that little "s"?
That's special.

Yep. I learned that maildrop and public need to be set gid.

It would still be useful to have a complete list of owners, groups, and
perms for the directory.

Thanks,

Rich

Michael J Wise

2015-08-06 18:53:07 UTC

Permalink

Post by Rich Shepard

Post by Michael J Wise
Needs Group Write.

Michael,
Ah, I should have seen that.

Post by Michael J Wise
See that little "s"?
That's special.

Yep. I learned that maildrop and public need to be set gid.
It would still be useful to have a complete list of owners, groups, and
perms for the directory.

This is from a MacOS 10.9 instance, so it's not quite current, and the
user is ... a bit weird, but it should help as a data point. Good luck!

$ ls -la
total 0
drwxr-xr-x 16 root wheel 544 Aug 24 2013 .
drwxr-xr-x 8 root wheel 272 Aug 30 2014 ..
drwx------ 2 _postfix wheel 68 Aug 24 2013 active
drwx------ 2 _postfix wheel 68 Aug 24 2013 bounce
drwx------ 2 _postfix wheel 68 Aug 24 2013 corrupt
drwx------ 2 _postfix wheel 68 Aug 24 2013 defer
drwx------ 2 _postfix wheel 68 Aug 24 2013 deferred
drwx------ 2 _postfix wheel 68 Aug 24 2013 flush
drwx------ 2 _postfix wheel 68 Aug 24 2013 hold
drwx------ 2 _postfix wheel 68 Aug 24 2013 incoming
drwx-wx--- 2 _postfix _postdrop 68 Aug 24 2013 maildrop
drwxr-xr-x 3 root wheel 102 Nov 6 2013 pid
drwx------ 26 _postfix wheel 884 Nov 6 2013 private
drwx--x--- 7 _postfix _postdrop 238 Nov 6 2013 public
drwx------ 2 _postfix wheel 68 Aug 24 2013 saved
drwx------ 2 _postfix wheel 68 Aug 24 2013 trace

Post by Rich Shepard
Thanks,
Rich

Aloha mai Nai`a.

--
" So this is how Liberty dies ... http://kapu.net/~mjwise/
" To Thunderous Applause.

Rich Shepard

2015-08-06 18:55:25 UTC

Permalink

Post by Michael J Wise
This is from a MacOS 10.9 instance, so it's not quite current, and the
user is ... a bit weird, but it should help as a data point. Good luck!

Thanks, Michael.

Rich

Viktor Dukhovni

2015-08-06 18:58:49 UTC

Permalink

Post by Rich Shepard
I want a list of owners, groups, and permissions I can keep here so I can
repair inadvertent changes during future upgrades.

# postfix set-permissions

Except on Debian systems where it might not work, because the Debian
"postfix-files" file (in $daemon_directory for recent enough
releases) often has more files list than are actually deployed by
Postfix packages.

In any case all the required permissions are listed in "postfix-files".

--
Viktor.

Rich Shepard

2015-08-06 19:12:46 UTC

Permalink

Post by Viktor Dukhovni
# postfix set-permissions
Except on Debian systems where it might not work, because the Debian
"postfix-files" file (in $daemon_directory for recent enough
releases) often has more files list than are actually deployed by
Postfix packages.

Viktor,

I run Slackware.

Post by Viktor Dukhovni
In any case all the required permissions are listed in "postfix-files".

Thanks for both pointers. That's what I wanted to learn.

Regards,

Rich

Wietse Venema

2015-08-06 19:12:59 UTC

Permalink

Post by Rich Shepard
During the most recent upgrade I inadvertently altered owner, group,
and/or permissions in /var/spool/postfix. I've looked for information in all
the README files that seemed applicable but have not found a list of how
/var/spool/postfix subdirectories should be set. Please point me to a doc
that has this information.
While 'postfix check' shows no errors, when I run mailx from the command
line I get warnings about an inability to write to
drwxr-sr-x 2 postfix postdrop 12288 Aug 6 09:55 maildrop/

DO NOT DO THAT. The directory MUST be writable only by root.

Wietse

Wietse Venema

2015-08-06 19:14:57 UTC

Permalink

Post by Wietse Venema

Post by Rich Shepard
During the most recent upgrade I inadvertently altered owner, group,
and/or permissions in /var/spool/postfix. I've looked for information in all
the README files that seemed applicable but have not found a list of how
/var/spool/postfix subdirectories should be set. Please point me to a doc
that has this information.
While 'postfix check' shows no errors, when I run mailx from the command
line I get warnings about an inability to write to
drwxr-sr-x 2 postfix postdrop 12288 Aug 6 09:55 maildrop/

DO NOT DO THAT. The directory MUST be writable only by root.

Ignore my response. I thought this was the queue dir.

Wietse