On Tue, Jul 19, 2011 at 05:02:34PM +0200, Lars T??uber wrote:
> The unix socket can't be used by other users than root or postfix.
> Is there a way to configure ownership and/or permissions for the socket?
No, the parent directory: $queue_directory/private, must be protected
from users other than "postfix" (or "root").
> I thought under Linux the filesystem permissions reflect the permissions to
> the unix socket.
The entire path to the unix socket, including parent directories.
$ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
drwx------ 2 postfix root 4096 Jun 7 17:59 /var/spool/postfix/private/
drwx--x--- 2 postfix postdrop 4096 Jun 7 17:59 /var/spool/postfix/public/
> Am I doing something wrong?
To run an smtpd in a less restricted directory, you need to place the
socket in a new location. You can create
/var/spool/postfix/world
owner postfix, mode 0755, and in master.cf use:
../world/sname unix ...
instead of
sname unix ...
with this any user will be able to access the socket. Of course at that
point, why not just use "inet" instead with a loopback address?
The only group available to Postfix when it binds listening unix-domain
sockets is the primary group of the postfix user. You could in principle
create:
drwxr-x--- 2 postfix postfix 4096 Jun 7 17:59 /var/spool/postfix/shared/
instead of "world", and give some users a second group of "postfix".
AFAIK nothing in the Postfix system assigns special permissions to
this group (as opposed to the "postdrop" group, which must not be
the primary group of the "postfix" user).
--
Viktor.
