Update:
I found another issue:
5. Files copied by the init.d script will be world-readable, sometimes
in contrast to the original files.
This a problem for some files that people might want to add to the
chroot, like /etc/sasldb, which has clear-text passwords.
In my updated patch I changed the umask to 027 to prevent files from
being created as world-readable and made them in stead group-readable
by the postfix user. I think this is "open" enough. Please correct me
if I'm wrong.
I updated the previous patch to resolve this issue
(init.d-chroot-new.patch). All the comments in the original bug post still
apply.
--- postfix-2.5.5-orig/debian/init.d 2008-10-31 13:59:26.000000000 +0100
+++ postfix-2.5.5/debian/init.d 2008-10-31 14:01:08.000000000 +0100
@@ -25,6 +25,8 @@
# Defaults - don't touch, edit /etc/default/postfix
SYNC_CHROOT="y"
+CHROOT_FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+ etc/nsswitch.conf etc/nss_mdns.config"
test -f /etc/default/postfix && . /etc/default/postfix
@@ -45,6 +47,55 @@
fi
}
+update_chroot() {
+ # see if anything is running chrooted.
+ NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
+
+ if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+ # Make sure that the chroot environment is set up correctly.
+ oldumask=$(umask)
+ umask 027
+ cd $(postconf -h queue_directory)
+
+ # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
+ smtp_tls_security_level=$(postconf -h smtp_tls_security_level)
+ smtp_use_tls=$(postconf -h smtp_use_tls)
+ smtpd_tls_security_level=$(postconf -h smtpd_tls_security_level)
+ smtpd_use_tls=$(postconf -h smtpd_use_tls)
+ if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" \
+ -o "X$smtp_tls_security_level" != "X" -a "X$smtp_tls_security_level" != "Xnone" \
+ -o "X$smtpd_tls_security_level" != "X" -a "X$smtpd_tls_security_level" != "Xnone" ]; then
+ if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+ mkdir -p etc/ssl/certs
+ cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
+ chgrp postfix etc/ssl/certs/ca-certificates.crt
+ fi
+ fi
+
+ # if we're using unix:passwd.byname, then we need to add etc/passwd.
+ local_maps=$(postconf -h local_recipient_maps)
+ if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+ if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+ sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+ chgrp postfix etc/passwd
+ fi
+ fi
+
+ for file in $CHROOT_FILES; do
+ [ -d ${file%/*} ] || mkdir -p ${file%/*}
+ if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
+ if [ -f ${file} ]; then chgrp postfix ${file}; fi
+ done
+ rm -f usr/lib/zoneinfo/localtime
+ mkdir -p usr/lib/zoneinfo
+ ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+ rm -f lib/libnss_*so*
+ tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
+ umask $oldumask
+ fi
+}
+
+
case "$1" in
start)
log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
@@ -65,48 +116,7 @@
exit 1
fi
- # see if anything is running chrooted.
- NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
-
- if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
- # Make sure that the chroot environment is set up correctly.
- oldumask=$(umask)
- umask 022
- cd $(postconf -h queue_directory)
-
- # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
- smtp_use_tls=$(postconf -h smtp_use_tls)
- smtpd_use_tls=$(postconf -h smtpd_use_tls)
- if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" ]; then
- if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
- mkdir -p etc/ssl/certs
- cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
- fi
- fi
-
- # if we're using unix:passwd.byname, then we need to add etc/passwd.
- local_maps=$(postconf -h local_recipient_maps)
- if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
- if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
- sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
- chmod a+r etc/passwd
- fi
- fi
-
- FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
- etc/nsswitch.conf etc/nss_mdns.config"
- for file in $FILES; do
- [ -d ${file%/*} ] || mkdir -p ${file%/*}
- if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
- if [ -f ${file} ]; then chmod a+rX ${file}; fi
- done
- rm -f usr/lib/zoneinfo/localtime
- mkdir -p usr/lib/zoneinfo
- ln -sf /etc/localtime usr/lib/zoneinfo/localtime
- rm -f lib/libnss_*so*
- tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
- umask $oldumask
- fi
+ update_chroot
if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then
log_end_msg 0
@@ -159,8 +169,14 @@
${DAEMON} $1
;;
+ update-chroot)
+ log_action_begin_msg "Updating the Postfix chroot"
+ update_chroot
+ log_action_end_msg 0
+ ;;
+
*)
- log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
+ log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload|update-chroot}"
exit 1
;;
esac