NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-06

Re: Two minor suggestions for SMTPD_POLICY_README

From: Ronald F. Guilmette (rfgmonkeys.com)
Date: Sun Jun 10 2007 - 17:37:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <20070610221437.0F79B1F3E95spike.porcupine.org>,
Wietse wrote:

>> >> After a bit of digging I learned that what was really needed was
>> >>
>> >> /etc/postfix/master.cf:
>> >> policy unix - n n - - spawn
>> >> user=nobody:postdrop argv=/usr/local/rfg/bin/smtpd-policy
>> >>
>> >> i.e. specifying the user _and_ group (where group==postdrop) in order to
>> >> persuade spawn(8) to execute my policy server _and_ to allow it to have
>> >> access to the private UNIX domain socket that spawn created in order to
>> >> pass data to the policy server.
>> >
>> >This is wrong. Spawn(8) ALWAYS has access to Postfix sockets.
>>
>> OK. I must ask then: What caused the logfile error message that I posted
>> (and which is included again above)? If spawn was having no problem with
>
>Jun 10 11:38:11 segfault postfix/spawn[50459]: fatal: request to use mail system owner group id 610
>
>You were attempting to leak Postfix's GID to an external command.
>Postfix will not allow that.

I'm sorry. I did not make myself clear.

On my system, GID # 610 is _not_ Postfix's group ID... it is rather my
own personal group ID. (Postfix has it own separate, distinct and different
group ID, i.e.:

postdrop:*:1004:postfix

(I feel reasonably sure that every tool that is a part of Postfix is either
using that group or else group "wheel" aka GID#0.)

Thus, it still makes no sense that the error message said, in effect, that
spawn would not allow me to use _my own_ group ID (610).

So I find that I need to ask again: How/why is spawn.c getting _my_ group
ID mixed up and confused with _Postfix's_ group ID?

(I'm sorry if there is something obvious that I'm just not seeing here,
but the content of the error message I quoted seems pretty clear - Postfix
is somehow getting the Wrong Idea - it is incorrectly thinking for some
reason that my personal group ID is in fact Postfix's "mail system owner
group".)

Regards,
rfg

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]