Loading ...
Sorry, an error occurred while loading the content.
 

Re: filter user permissions question

Expand Messages
  • Victor Duchovni
    ... Only if this is the primary group of the user or you use the (pipe(8) manual) documented syntax for specifying the group you want: ... user=user:group
    Message 1 of 5 , Nov 1, 2006
      On Wed, Nov 01, 2006 at 08:51:36AM -0500, kclair wrote:

      > On Tue, Oct 31, 2006 at 06:44:07PM -0500, Wietse Venema wrote:
      > > kclair:
      > > > Hello,
      > > >
      > > > I'm trying to use a content filter using an external command via
      > > > master.cf. I can't really wrap my head around the permissions
      > > > problems that I'm seeing, and I'm wondering if anyone can shed any
      > > > light on it.
      > > >
      > > > The line(s) in master.cf:
      > > > filter unix - n n - 10 pipe
      > > > flags=Rq user=filter argv=/usr/local/anomy/filter.sh -f ${sender} --
      > > > ${recipient}
      > > >
      > > > This should be executing this command as the user "filter", right?
      > > >
      > > > The permissions of the script:
      > > > -rwxr-x--- 1 root filter 1123 2006-10-31 14:13 filter.sh
      > >
      > > This file is executable if:
      > >
      > > the process has the NUMERICAL uid of the root USER.
      > >
      > > the process has the NUMERICAL gid of the filter GROUP.
      > >
      > > Nowhere does it say that a process with the numerical
      > > uid of the filter USER has execute permission.
      >
      > But the filter user is part of the filter group, so shouldn't that
      > grant the filter user permission to execute the file?

      Only if this is the primary group of the user or you use the (pipe(8)
      manual) documented syntax for specifying the group you want:

      ... user=user:group argv=...

      Secondary groups are not assigned when Postfix delivers mail to programs.

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    • Wietse Venema
      ... Is the NUMERICAL gid of the filter USER equal to the NUMERICAL gid of the filter GROUP? Wietse
      Message 2 of 5 , Nov 1, 2006
        kclair:
        > On Tue, Oct 31, 2006 at 06:44:07PM -0500, Wietse Venema wrote:
        > > kclair:
        > > > Hello,
        > > >
        > > > I'm trying to use a content filter using an external command via
        > > > master.cf. I can't really wrap my head around the permissions
        > > > problems that I'm seeing, and I'm wondering if anyone can shed any
        > > > light on it.
        > > >
        > > > The line(s) in master.cf:
        > > > filter unix - n n - 10 pipe
        > > > flags=Rq user=filter argv=/usr/local/anomy/filter.sh -f ${sender} --
        > > > ${recipient}
        > > >
        > > > This should be executing this command as the user "filter", right?
        > > >
        > > > The permissions of the script:
        > > > -rwxr-x--- 1 root filter 1123 2006-10-31 14:13 filter.sh
        > >
        > > This file is executable if:
        > >
        > > the process has the NUMERICAL uid of the root USER.
        > >
        > > the process has the NUMERICAL gid of the filter GROUP.
        > >
        > > Nowhere does it say that a process with the numerical
        > > uid of the filter USER has execute permission.
        >
        > But the filter user is part of the filter group, so shouldn't that
        > grant the filter user permission to execute the file?

        Is the NUMERICAL gid of the filter USER equal to the
        NUMERICAL gid of the filter GROUP?

        Wietse
      Your message has been successfully submitted and would be delivered to recipients shortly.