[Amavisd-new-debian-devel] /var/lib/amavis and /var/lib/amavis/tmp permissions
Alexander Wirt
formorer at formorer.de
Tue Nov 24 09:43:03 UTC 2009
Henrique de Moraes Holschuh schrieb am Montag, den 23. November 2009:
Hi,
> On Sun, 22 Nov 2009, Harald Jenny wrote:
> > + for i in /var/lib/amavis:0750 /var/lib/amavis/db:0755 /var/lib/amavis/tmp:0750 \
> > + /var/lib/amavis/virusmails:0755 /var/run/amavis:0755
>
> 0750 in /var/lib/amavis means /var/lib/amavis/db needs to be 0750 for
> completeness (since you'd need _very_ dirty tricks to get to db/ anyway).
>
> If anything running with a different user wants to get to db/, it will have
> to be made sgid amavis or we will need to do something different, e.g., use
> a separate group just for sgid access to that directory, like postfix does
> with its postdrop group.
>
> Also, virusmails is the kind of dir that needs to be restricted. That one is
> probably best left at amavis:mail, but with mode 0750.
>
> The patch will not fix existing installs, either. It has to fix the system
> user group, and the overrides that were not touched by the local admin if we
> can do that without breaking current installs. In either case, we need a
> suitable entry on NEWS.Debian.
>
> That said, we also need input from Alexander. He has not told us what he
> thinks of this whole deal yet.
>
> Alexander?
Ok, here I am :).
Let me see. 0750 /var/lib/amavis/tmp:0750 could get some problem with
viruscanners which need access to that directory for scanning the mails and
I'm not entirely sure if there a no scanners that need write access here.
That would mean we need 0777 here.
/var/lib/amavis/db:0755 seems to wide for me. Nobody should need access to
the SA dbs from outside. 0750 should work here.
I like Henriques suggestion of making virusmails 0750 but not with
amavis:mail. If you have a webfrontend which need access to the queue you
really don't want it in the group mail since this group also has access the
the mailspool.
I didn't took a look to the implementation yet, but I'll do that soon if I
have time to implement the changes.
Alex
More information about the Amavisd-new-debian-devel
mailing list