Loading ...
Sorry, an error occurred while loading the content.

Re: filter user permissions question

Expand Messages
  • kclair
    ... But the filter user is part of the filter group, so shouldn t that grant the filter user permission to execute the file? And also, when I run the program
    Message 1 of 5 , Nov 1, 2006
    • 0 Attachment
      On Tue, Oct 31, 2006 at 06:44:07PM -0500, Wietse Venema wrote:
      > kclair:
      > > Hello,
      > >
      > > I'm trying to use a content filter using an external command via
      > > master.cf. I can't really wrap my head around the permissions
      > > problems that I'm seeing, and I'm wondering if anyone can shed any
      > > light on it.
      > >
      > > The line(s) in master.cf:
      > > filter unix - n n - 10 pipe
      > > flags=Rq user=filter argv=/usr/local/anomy/filter.sh -f ${sender} --
      > > ${recipient}
      > >
      > > This should be executing this command as the user "filter", right?
      > >
      > > The permissions of the script:
      > > -rwxr-x--- 1 root filter 1123 2006-10-31 14:13 filter.sh
      >
      > This file is executable if:
      >
      > the process has the NUMERICAL uid of the root USER.
      >
      > the process has the NUMERICAL gid of the filter GROUP.
      >
      > Nowhere does it say that a process with the numerical
      > uid of the filter USER has execute permission.

      But the filter user is part of the filter group, so shouldn't that
      grant the filter user permission to execute the file?

      And also, when I run the program from the command line as the user
      filter, it executes with no permissions problem.

      I guess I am not understanding why it is different when it is
      executed by postfix. Does it not matter in that case that user filter
      is part of group filter?

      Thanks,
      Kristina
    • Victor Duchovni
      ... Only if this is the primary group of the user or you use the (pipe(8) manual) documented syntax for specifying the group you want: ... user=user:group
      Message 2 of 5 , Nov 1, 2006
      • 0 Attachment
        On Wed, Nov 01, 2006 at 08:51:36AM -0500, kclair wrote:

        > On Tue, Oct 31, 2006 at 06:44:07PM -0500, Wietse Venema wrote:
        > > kclair:
        > > > Hello,
        > > >
        > > > I'm trying to use a content filter using an external command via
        > > > master.cf. I can't really wrap my head around the permissions
        > > > problems that I'm seeing, and I'm wondering if anyone can shed any
        > > > light on it.
        > > >
        > > > The line(s) in master.cf:
        > > > filter unix - n n - 10 pipe
        > > > flags=Rq user=filter argv=/usr/local/anomy/filter.sh -f ${sender} --
        > > > ${recipient}
        > > >
        > > > This should be executing this command as the user "filter", right?
        > > >
        > > > The permissions of the script:
        > > > -rwxr-x--- 1 root filter 1123 2006-10-31 14:13 filter.sh
        > >
        > > This file is executable if:
        > >
        > > the process has the NUMERICAL uid of the root USER.
        > >
        > > the process has the NUMERICAL gid of the filter GROUP.
        > >
        > > Nowhere does it say that a process with the numerical
        > > uid of the filter USER has execute permission.
        >
        > But the filter user is part of the filter group, so shouldn't that
        > grant the filter user permission to execute the file?

        Only if this is the primary group of the user or you use the (pipe(8)
        manual) documented syntax for specifying the group you want:

        ... user=user:group argv=...

        Secondary groups are not assigned when Postfix delivers mail to programs.

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Wietse Venema
        ... Is the NUMERICAL gid of the filter USER equal to the NUMERICAL gid of the filter GROUP? Wietse
        Message 3 of 5 , Nov 1, 2006
        • 0 Attachment
          kclair:
          > On Tue, Oct 31, 2006 at 06:44:07PM -0500, Wietse Venema wrote:
          > > kclair:
          > > > Hello,
          > > >
          > > > I'm trying to use a content filter using an external command via
          > > > master.cf. I can't really wrap my head around the permissions
          > > > problems that I'm seeing, and I'm wondering if anyone can shed any
          > > > light on it.
          > > >
          > > > The line(s) in master.cf:
          > > > filter unix - n n - 10 pipe
          > > > flags=Rq user=filter argv=/usr/local/anomy/filter.sh -f ${sender} --
          > > > ${recipient}
          > > >
          > > > This should be executing this command as the user "filter", right?
          > > >
          > > > The permissions of the script:
          > > > -rwxr-x--- 1 root filter 1123 2006-10-31 14:13 filter.sh
          > >
          > > This file is executable if:
          > >
          > > the process has the NUMERICAL uid of the root USER.
          > >
          > > the process has the NUMERICAL gid of the filter GROUP.
          > >
          > > Nowhere does it say that a process with the numerical
          > > uid of the filter USER has execute permission.
          >
          > But the filter user is part of the filter group, so shouldn't that
          > grant the filter user permission to execute the file?

          Is the NUMERICAL gid of the filter USER equal to the
          NUMERICAL gid of the filter GROUP?

          Wietse
        Your message has been successfully submitted and would be delivered to recipients shortly.