[Amavisd-new-debian-devel] /var/lib/amavis and /var/lib/amavis/tmp permissions
Henrique de Moraes Holschuh
hmh at debian.org
Tue Nov 24 00:50:27 UTC 2009
On Sun, 22 Nov 2009, Harald Jenny wrote:
> + for i in /var/lib/amavis:0750 /var/lib/amavis/db:0755 /var/lib/amavis/tmp:0750 \
> + /var/lib/amavis/virusmails:0755 /var/run/amavis:0755
0750 in /var/lib/amavis means /var/lib/amavis/db needs to be 0750 for
completeness (since you'd need _very_ dirty tricks to get to db/ anyway).
If anything running with a different user wants to get to db/, it will have
to be made sgid amavis or we will need to do something different, e.g., use
a separate group just for sgid access to that directory, like postfix does
with its postdrop group.
Also, virusmails is the kind of dir that needs to be restricted. That one is
probably best left at amavis:mail, but with mode 0750.
The patch will not fix existing installs, either. It has to fix the system
user group, and the overrides that were not touched by the local admin if we
can do that without breaking current installs. In either case, we need a
suitable entry on NEWS.Debian.
That said, we also need input from Alexander. He has not told us what he
thinks of this whole deal yet.
Alexander?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
More information about the Amavisd-new-debian-devel
mailing list