On Sat, Jan 22, 2022 at 05:22:29PM -0500, Marvin Renich wrote: > retitle 1002527 milter-greylist -u user does not correctly ensure user can > update greylist.db > quit > > * Adrian Bunk <b...@debian.org> [220120 21:43]: > > On Thu, Dec 23, 2021 at 02:12:04PM -0500, Marvin Renich wrote: > > >... > > > With an existing installation of milter-greylist set up to work with > > > chrooted postfix (i.e. USER="postfix" in /etc/default/milter-greylist), > > > every upgrade sets the owner of the directory /var/lib/milter-greylist > > > to "greylist" regardless of the setting of USER. This effectively > > > breaks postfix, as it will no longer deliver mail until the problem is > > > resolved. > > > > > > Note that the particular system hosting my mail server is still running > > > sysvinit, not systemd. I do not know how milter-greylist configures the > > > user under systemd, but the postinst has "greylist" hardcoded, so I > > > suspect that if the sysadmin has configured a different user, this will > > > break under systemd, as well. > > >... > > > > With systemd the problem likely doesn't exist since the user is > > hardcoded also in the service file: > > > > /lib/systemd/system/milter-greylist.service: > > ExecStart=/usr/sbin/milter-greylist -u greylist > > I'm not sure how that fixes anything. >... > milter-greylist had a documented way to run it as a different user by > setting USER="postfix" in the above file. > > I don't have milter-greylist running with postfix on a systemd system, > so I can't test this, but I suspect that if I copied > /lib/systemd/system/milter-greylist.service to /etc/systemd/system/ and > edited it to use -u postfix, and corrected the ownership and permissions > on /var/lib/milter-greylist, the next upgrade would still clobber the > ownership, thus breaking postfix. >...
Changing milter-greylist.service would not really be supported, my reading of the code is that USER="postfix" is honored in the init script but for systemd users the user cannot be changed. Which explains why there aren't more people running into this bug. > ...Marvin cu Adrian
