* LuKreme <krem...@kreme.com>:
> All the files in /etc/postfix are 1) owned by root and 2) marked with 644
> permissions.
>
> I'm not sure this is a good idea (though there are no other users who login
> to the shell, there are other users who at least in theory could).
>
> I did chmod 600 and chown postfix the mysql_virtual_*_maps.cf files since
> they contain the SQL password for the sql users' database.
>
> Am I worrying needlessly? Chould I chmod 600 and chown postfix all of
> /etc/postfix?
All maps
root:postfix 640
main.cf, master.cf, dynamicmaps.cf
root:postfix 644
Must be world readable for sendmail users
root@mail:/etc/postfix# ll
total 216
drwxr-xr-x 3 root root 4096 Sep 4 08:10 ./
drwxr-xr-x 103 root root 4096 Sep 4 11:28 ../
-rw-r----- 1 postfix postfix 901 Feb 5 2013 body.chk
-rw-r----- 1 root postfix 46 Feb 5 2013 client_access
-rw-r----- 1 root postfix 2113 Feb 5 2013 client_access.cdb
-rw-r----- 1 root postfix 778 Sep 4 08:10 dh_2048.pem
-rw-r----- 1 root postfix 156 Feb 5 2013 dh_512.pem
-rw-r----- 1 root postfix 16351 Jul 8 16:25 drop.cidr
-rw-r--r-- 1 root postfix 389 Nov 22 2012 dynamicmaps.cf
-rw-r----- 1 root postfix 3337 Feb 5 2013 header.chk
-rw-r----- 1 root postfix 491 Apr 29 14:27 helo.chk
-rw-r--r-- 1 root postfix 5056 Sep 4 08:10 main.cf
-rw-r----- 1 root postfix 582 Feb 6 2013 Makefile
-rw-r--r-- 1 root postfix 3400 Mai 23 00:28 master.cf
-rw-r----- 1 root postfix 172 Feb 5 2013 nested_header.chk
-rw-r----- 1 root postfix 25 Feb 5 2013 nullsender
-rw-r----- 1 root postfix 2090 Feb 5 2013 nullsender.cdb
-rw-r--r-- 1 root postfix 19707 Okt 23 2012 postfix-files
-rwxr-xr-x 1 root postfix 8729 Okt 23 2012 postfix-script*
-rwxr-xr-x 1 root postfix 26498 Okt 23 2012 post-install*
-rw-r----- 1 root postfix 31 Feb 5 2013 postscreen_access.cidr
-rw-r----- 1 root postfix 214 Feb 5 2013 role_exceptions
-rw-r----- 1 root postfix 2190 Feb 5 2013 role_exceptions.cdb
drwxr-x--- 2 root postfix 4096 Okt 23 2012 sasl/
-rw-r----- 1 root postfix 1728 Feb 5 2013 sender_exceptions
-rw-r----- 1 root postfix 3686 Feb 5 2013 sender_exceptions.cdb
-rw-r----- 1 root postfix 67 Feb 6 2013 transport
-rw-r----- 1 root postfix 2158 Feb 6 2013 transport.cdb
-rw-r----- 1 root postfix 582 Jun 17 09:34 virtual
-rw-r----- 1 root postfix 2892 Jun 17 09:34 virtual.cdb
I use a Makefile to maintain maps and permissions:
SHELL = /bin/sh
VPATH = /etc
all: helos.db transport.db client_access.db clients.db roles.db senders.db
aliases.db discard_ehlo_keywords.db relay_domains.db virtual_aliases.db
tls_policies.db
aliases.db: /etc/aliases
cp /etc/aliases /etc/aliases.proto
postalias hash:/etc/aliases.proto
mv /etc/aliases.proto.db /etc/aliases.db
chown root:postfix /etc/aliases*
chmod 640 /etc/aliases*
rm /etc/aliases.proto
/usr/local/sbin/set_postfix_perms
%.db: %
cp $< $<.proto
postmap hash:$<.proto
mv $<.proto.db $<.db
chown root:postfix $<*
chmod 640 $<*
rm $<.proto
/usr/local/sbin/set_postfix_perms
And I call a set_postfix_perms at the end to catch files that are not maps:
#!/bin/bash
# Setzt die Permissions und Ownerships in /etc/postfix restriktiv
# Patrick Koetter, p...@sys4.de
# Nur lesbar für root und postfix
declare -a FILES=(
dh_2048.pem
dh_512.pem
drop.cidr
header_checks.pcre
identity.chk
Makefile
postscreen_access.cidr
relay_recipients.ldap
virtual_aliases.ldap)
# Die müssen word readable sein
declare -a CONFS=(
main.cf
master.cf
relay_domains*
)
for i in ${FILES[@]}
do
chmod 640 $i
chown root:postfix $i
done
for i in ${CONFS[@]}
do
chmod 644 $i
chown root:postfix $i
done
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
