[Amavisd-new-debian-devel] /var/lib/amavis and /var/lib/amavis/tmp permissions
Harald Jenny
harald at a-little-linux-box.at
Thu Nov 26 20:12:32 UTC 2009
On Wed, Nov 25, 2009 at 12:14:07AM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, 24 Nov 2009, Alexander Wirt wrote:
> > Let me see. 0750 /var/lib/amavis/tmp:0750 could get some problem with
> > viruscanners which need access to that directory for scanning the mails and
> > I'm not entirely sure if there a no scanners that need write access here.
> > That would mean we need 0777 here.
>
> We already document that any scanners _have_ to join group amavis, though,
Sorry but where is this, did not find it :-(.
> For some weird reason, I thought we had some issue about these files being
> amavis:mail...
Well can happen...
>
> IMO, any file scanner that needs write permission to what it is scanning is
> such a piece of dangerous crap, that we should break it on principle.
But it's the users decision to use it so make the dir 750 and place a note in the README.Debian?
>
> I am more afraid of limiting access to db/ and to the quarantine dir causing
> some regression. We might have to make the nanny and amavisd-release sgid
> (or suid) amavis if it does, or use a separate group and sgid to that.
Would there be any problems doing this?
>
> > /var/lib/amavis/db:0755 seems to wide for me. Nobody should need access to
> > the SA dbs from outside. 0750 should work here.
>
> Nanny needs db/... the question is how nanny should be run? If it is as
> user amavis or root, we need not care and 0700 (or 0750) it is...
Hmmm I don't know about possible implications...
>
> > I like Henriques suggestion of making virusmails 0750 but not with
> > amavis:mail. If you have a webfrontend which need access to the queue you
> > really don't want it in the group mail since this group also has access the
> > the mailspool.
>
> Agreed. And I don't know why amavis:mail got in my head, I see we use
> amavis:amavis everywhere by default. Some of what I wrote was completely
> bogus, because I thought we were creating files/directories as amavis:mail
> (we aren't).
No problem.
>
> --
> "One disk to rule them all, One disk to find them. One disk to bring
> them all and in the darkness grind them. In the Land of Redmond
> where the shadows lie." -- The Silicon Valley Tarot
> Henrique Holschuh
>
> _______________________________________________
> Amavisd-new-debian-devel mailing list
> Amavisd-new-debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/amavisd-new-debian-devel
More information about the Amavisd-new-debian-devel
mailing list