[Amavisd-new-debian-devel] /var/lib/amavis and /var/lib/amavis/tmp permissions
Henrique de Moraes Holschuh
hmh at debian.org
Wed Nov 25 02:14:07 UTC 2009
On Tue, 24 Nov 2009, Alexander Wirt wrote:
> Let me see. 0750 /var/lib/amavis/tmp:0750 could get some problem with
> viruscanners which need access to that directory for scanning the mails and
> I'm not entirely sure if there a no scanners that need write access here.
> That would mean we need 0777 here.
We already document that any scanners _have_ to join group amavis, though,
For some weird reason, I thought we had some issue about these files being
amavis:mail...
IMO, any file scanner that needs write permission to what it is scanning is
such a piece of dangerous crap, that we should break it on principle.
I am more afraid of limiting access to db/ and to the quarantine dir causing
some regression. We might have to make the nanny and amavisd-release sgid
(or suid) amavis if it does, or use a separate group and sgid to that.
> /var/lib/amavis/db:0755 seems to wide for me. Nobody should need access to
> the SA dbs from outside. 0750 should work here.
Nanny needs db/... the question is how nanny should be run? If it is as
user amavis or root, we need not care and 0700 (or 0750) it is...
> I like Henriques suggestion of making virusmails 0750 but not with
> amavis:mail. If you have a webfrontend which need access to the queue you
> really don't want it in the group mail since this group also has access the
> the mailspool.
Agreed. And I don't know why amavis:mail got in my head, I see we use
amavis:amavis everywhere by default. Some of what I wrote was completely
bogus, because I thought we were creating files/directories as amavis:mail
(we aren't).
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
More information about the Amavisd-new-debian-devel
mailing list