Re: Permissions

Tue, 23 Feb 2016 23:48:07 -0800 

John,

you might want to play around with a script I started a while ago. I don't
recall if I finished it. I think it did the job well enough to stop working on
it at that time.

p@rick



* John A @ KLaM <j...@klam.ca>:
> Recently there was a discussion about file permissions and ownership.
> My postfix setup is as far as I know fairly conventional Debian stretch.
> 
> /etc/postfix root root 755
> Main.cf root root 644
> Master.cf root root 644
> 
> /etc/postfix/maps root root 755
> Map, pcre etc root root 644
> 
> /etc/postfix/sasl root root 755
> --
> 
> /etc/postfix/sql root root 755
> sql ? ? 644
> 
> Would I be better with directories as 750
> and files as 640.
> 
> Ownership = postfix in all cases.
> 
> 

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 

#!/bin/bash
# Pruefe Permission, Ownership und Groupwnership aller MAPS, die Postfix 
# aktuell eingebunden hat sowie seiner Konfigurationsdateien und Helferskripte.
# Korrigiere die Werte wenn sie abweichen und melde die Aktion.
# Patrick Ben Koetter <p...@sys4.de>

# Map-Dateien
MAP_PERMS='640'
MAP_OWNER='root'
MAP_GROUP='postfix'

# Konfigurationsdateien
CONF_PERMS='644'
CONF_OWNER='root'
CONF_GROUP='postfix'

# Shared Files
SHARED_PERMS='644'
SHARED_OWNER='root'
SHARED_GROUP='postfix'

# Zertifikate
CERT_PERMS='400'
CERT_OWNER='root'
CERT_GROUP='postfix'

# Skripte
SCRIPT_PERMS='750'
SCRIPT_OWNER='root'
SCRIPT_GROUP='postfix'


#############################################################################
# Ab hier nur noch Programm

# Multiple instance config dir uebergeben
while getopts ":c:" opt; do
  case $opt in
    c)
      INSTANCE_DIR=$OPTARG
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
    :)
      echo "postperms: fatal: usage: option -$OPTARG requires an argument." >&2
      exit 1
      ;;
  esac
done

# Oder default config dir verwenden
CONFIG_DIR=${INSTANCE_DIR:-"/etc/postfix"}

# Map-Dateien
# Alles was Postfix in ein file auslagern könnte
declare -a MAPS=$(postconf -c $CONFIG_DIR -xh 
address_verify_sender_dependent_default_transport_maps \
    address_verify_sender_dependent_relayhost_maps 
address_verify_transport_maps \
    alias_maps canonical_maps fallback_transport_maps \
    lmtp_discard_lhlo_keyword_address_maps lmtp_generic_maps 
lmtp_pix_workaround_maps \
    lmtp_sasl_password_maps lmtp_tls_policy_maps local_recipient_maps 
mailbox_command_maps \
    mailbox_transport_maps postscreen_discard_ehlo_keyword_address_maps \
    rbl_reply_maps recipient_bcc_maps recipient_canonical_maps \
    relay_recipient_maps relocated_maps sender_bcc_maps sender_canonical_maps \
    sender_dependent_default_transport_maps sender_dependent_relayhost_maps \
    smtp_discard_ehlo_keyword_address_maps smtp_generic_maps 
smtp_pix_workaround_maps \
    smtp_sasl_password_maps smtp_tls_policy_maps 
smtpd_discard_ehlo_keyword_address_maps \
    smtpd_sender_login_maps transport_maps virtual_alias_maps virtual_gid_maps \
    virtual_mailbox_maps virtual_uid_maps bounce_template_file \
    body_checks header_checks lmtp_body_checks lmtp_header_checks 
lmtp_mime_header_checks \
    lmtp_nested_header_checks milter_header_checks mime_header_checks 
nested_header_checks \
    smtp_body_checks smtp_header_checks smtp_mime_header_checks 
smtp_nested_header_checks)

for i in ${MAPS[@]}
do
    # Treiberangaben entfernen
        FILE="${i/#*:/}"
    # Es muss ein Pfad "/.." sein
        if [[ ${FILE} == /* ]];
        then
                chmod -c ${MAP_PERMS} ${FILE}
                chown -c ${MAP_OWNER} ${FILE}
                chgrp -c ${MAP_GROUP} ${FILE}
        fi
done


# Postfix Konfigurationsdateien
declare -a CONFS=(main.cf master.cf dynamicmaps.cf)

for FILE in ${CONFS[@]}
do
        chmod -c ${CONF_PERMS} ${FILE}
        chown -c ${CONF_OWNER} ${FILE}
        chgrp -c ${CONF_GROUP} ${FILE}
done


# Shared Files
declare -a SHARED=(domains)

for FILE in ${SHARED[@]}
do
        chmod -c ${SHARED_PERMS} ${FILE}
        chown -c ${SHARED_OWNER} ${FILE}
        chgrp -c ${SHARED_GROUP} ${FILE}
done


# Zertifikate
declare -a CERTS=$(postconf -c $CONFIG_DIR -xh lmtp_tls_cert_file 
lmtp_tls_dcert_file \
    lmtp_tls_dkey_file lmtp_tls_eccert_file lmtp_tls_eckey_file \
    lmtp_tls_key_file lmtp_tls_trust_anchor_file smtp_tls_cert_file \
    smtp_tls_dcert_file smtp_tls_dkey_file smtp_tls_eccert_file \
    smtp_tls_eckey_file smtp_tls_key_file smtp_tls_trust_anchor_file \
    smtpd_tls_cert_file smtpd_tls_dcert_file smtpd_tls_dh1024_param_file \
    smtpd_tls_dh512_param_file smtpd_tls_dkey_file smtpd_tls_eccert_file \
    smtpd_tls_eckey_file smtpd_tls_key_file tlsproxy_tls_cert_file \
    tlsproxy_tls_dcert_file tlsproxy_tls_dh1024_param_file \
    tlsproxy_tls_dh512_param_file tlsproxy_tls_dkey_file 
tlsproxy_tls_eccert_file \
    tlsproxy_tls_eckey_file tlsproxy_tls_key_file)

for FILE in ${CERTS[@]}
do
    # Es muss ein Pfad "/.." sein
        if [[ ${FILE} == /etc/postfix/* ]];
        then
        chmod -c ${CERT_PERMS} ${FILE}
        chown -c ${CERT_OWNER} ${FILE}
        chgrp -c ${CERT_GROUP} ${FILE}
    fi
done


# Helferskripte
declare -a SCRIPTS=(postfix-script post-install setperms)

for FILE in ${SCRIPTS[@]}
do
        chmod -c ${SCRIPT_PERMS} ${FILE}
        chown -c ${SCRIPT_OWNER} ${FILE}
        chgrp -c ${SCRIPT_GROUP} ${FILE}
done

# vim: set ts=4 sw=4:

Reply via email to