[Amavisd-new-debian-devel] /var/lib/amavis and /var/lib/amavis/tmp permissions
Harald Jenny
harald at a-little-linux-box.at
Tue Nov 24 10:08:43 UTC 2009
On Tue, Nov 24, 2009 at 10:43:03AM +0100, Alexander Wirt wrote:
> Henrique de Moraes Holschuh schrieb am Montag, den 23. November 2009:
>
> Hi,
Hello
>
> > On Sun, 22 Nov 2009, Harald Jenny wrote:
> > > + for i in /var/lib/amavis:0750 /var/lib/amavis/db:0755 /var/lib/amavis/tmp:0750 \
> > > + /var/lib/amavis/virusmails:0755 /var/run/amavis:0755
> >
> > 0750 in /var/lib/amavis means /var/lib/amavis/db needs to be 0750 for
> > completeness (since you'd need _very_ dirty tricks to get to db/ anyway).
> >
> > If anything running with a different user wants to get to db/, it will have
> > to be made sgid amavis or we will need to do something different, e.g., use
> > a separate group just for sgid access to that directory, like postfix does
> > with its postdrop group.
> >
> > Also, virusmails is the kind of dir that needs to be restricted. That one is
> > probably best left at amavis:mail, but with mode 0750.
> >
> > The patch will not fix existing installs, either. It has to fix the system
> > user group, and the overrides that were not touched by the local admin if we
> > can do that without breaking current installs. In either case, we need a
> > suitable entry on NEWS.Debian.
> >
> > That said, we also need input from Alexander. He has not told us what he
> > thinks of this whole deal yet.
> >
> > Alexander?
> Ok, here I am :).
:-)
>
> Let me see. 0750 /var/lib/amavis/tmp:0750 could get some problem with
> viruscanners which need access to that directory for scanning the mails and
> I'm not entirely sure if there a no scanners that need write access here.
> That would mean we need 0777 here.
Well this will break amavisd-milter as it requires no other access to the tmp-dir - the solution proposed by upstream maintainer is 0770 with added scanners to group amavis.
>
> /var/lib/amavis/db:0755 seems to wide for me. Nobody should need access to
> the SA dbs from outside. 0750 should work here.
Good
>
> I like Henriques suggestion of making virusmails 0750 but not with
> amavis:mail. If you have a webfrontend which need access to the queue you
> really don't want it in the group mail since this group also has access the
> the mailspool.
True, but I would say this is a decision for the admin not for the developer so amavis:amavis with README should be the best way.
>
> I didn't took a look to the implementation yet, but I'll do that soon if I
> have time to implement the changes.
If you are willing to accept a patch for this I could do this for you?
>
> Alex
Regards
Harald
>
> _______________________________________________
> Amavisd-new-debian-devel mailing list
> Amavisd-new-debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/amavisd-new-debian-devel
More information about the Amavisd-new-debian-devel
mailing list