berg...@panix.com:
> In the message dated: Fri, 11 Apr 2025 19:31:54 -0400,
> The pithy ruminations from Wietse Venema via Postfix-users on
> [[pfx] Re: pipe service program failing (signal handler?)] were:
> => berg...@panix.com:
> => > => Postfix does nothing to prevent a child process from making a system
> => > => call. For blocked calls, you may find more useful info in SeLinux
> => > => or AppArmor event logs.
> => >
> => > SELinux is disabled and AppArmor is not installed on this system.
> => >
> => > There's no problem running gmi directly from the shell, as an
> unprivileged user or as root.
> => >
> => > Any other thoughts, perhaps to do with postfix dropping privileges
> => > from root=>user when the gmi command is run as a pipe service?
> =>
> => Postfix relies on POSIX calls to impersonate an unprivileged user
> => (by manipulating the real/effective/saved UID and GID, and secondary
> => groups).
> =>
>
> Yep.
>
> => It is possible that your OS also manipulates other rights (capabilities,
> => other resource controls) that Postfix is not aware of.
>
> Yes, certainly...but this issue only appears when gmi is run in this way.
I suppose that if one were to draw a VENN diagram then the diagrams
for crond+gmi, su+gmi, etc. do not fully overlap with the diagram
for systemd+postfix+gmi.
> I also tried chown'ing gmi to root and turning on the setuid bit with no
> change in behavior -- it runs fine from the shell and fails when called
> as a pipe service.
>
> Is there any way (against recommended practice, I know) to run a pipe
> service as user=root, for testing?
No. And I expect you would find that a systemd+postfix' root process
will have fewer rights than 'su+shell' root or 'crond+shell' root
process.
That may be easy enough to demonstrate:
$ su
# postfix stop
# postfix start
That is, start Postfix from a root shell, not systemd, and see if the
pipe(8) child process has different rights.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
