[Amavisd-new-debian-devel] /var/lib/amavis and /var/lib/amavis/tmp permissions
Harald Jenny
harald at a-little-linux-box.at
Tue Nov 24 10:03:08 UTC 2009
On Mon, Nov 23, 2009 at 10:50:27PM -0200, Henrique de Moraes Holschuh wrote:
> On Sun, 22 Nov 2009, Harald Jenny wrote:
> > + for i in /var/lib/amavis:0750 /var/lib/amavis/db:0755 /var/lib/amavis/tmp:0750 \
> > + /var/lib/amavis/virusmails:0755 /var/run/amavis:0755
>
> 0750 in /var/lib/amavis means /var/lib/amavis/db needs to be 0750 for
> completeness (since you'd need _very_ dirty tricks to get to db/ anyway).
Well that change should be fairly easy...
>
> If anything running with a different user wants to get to db/, it will have
> to be made sgid amavis or we will need to do something different, e.g., use
> a separate group just for sgid access to that directory, like postfix does
> with its postdrop group.
Ok but this could be documented for the user.
>
> Also, virusmails is the kind of dir that needs to be restricted. That one is
> probably best left at amavis:mail, but with mode 0750.
Shouldn't that depend on the user's decision?
>
> The patch will not fix existing installs, either. It has to fix the system
> user group, and the overrides that were not touched by the local admin if we
> can do that without breaking current installs.
I agree - could be done by checking current overrides and deleting them if the are the ones originally installed prior to setting new perms with issuing a warning if perms were changed by the admin.
> In either case, we need a
> suitable entry on NEWS.Debian.
True
>
> That said, we also need input from Alexander. He has not told us what he
> thinks of this whole deal yet.
Good point
>
> Alexander?
>
> --
> "One disk to rule them all, One disk to find them. One disk to bring
> them all and in the darkness grind them. In the Land of Redmond
> where the shadows lie." -- The Silicon Valley Tarot
> Henrique Holschuh
>
> _______________________________________________
> Amavisd-new-debian-devel mailing list
> Amavisd-new-debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/amavisd-new-debian-devel
More information about the Amavisd-new-debian-devel
mailing list