On 12 Jan 2018, at 16:51 (-0500), James Moe wrote:
postfix v3.2.0
linux v4.4.103-36-default x86_64
Whenever postfix (re-)starts, the message below is emitted.
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
group or other writable: /etc/postfix/./ssl/cacerts
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting
the
Postfix mail system
Following the various paths yields the following directory listings:
$ ls -l .
drwxr-xr-x 1 root root 24 Nov 4 13:04 ssl/
$ ls -l ssl/
lrwxrwxrwx 1 root root 15 Nov 4 13:04 cacerts -> ../../ssl/certs/
drwxr-xr-x 1 root root 0 May 17 2017 certs/
$ ls -l /etc/
drwxr-xr-x 1 root root 146 Dec 15 02:29 ssl/
$ ls -l /etc/ssl/
lrwxrwxrwx 1 root root 28 Nov 4 12:49 certs ->
/var/lib/ca-certificates/pem/
$ ls -l /
drwxr-xr-x 1 root root 234 Nov 4 13:04 var/
$ ls -l /var/
drwxr-xr-x 1 root root 1090 Jan 9 10:40 lib/
$ ls -l /var/lib/
drwxr-xr-x 1 root root 70 Nov 13 03:05 ca-certificates/
$ ls -l /var/lib/ca-certificates/
dr-xr-xr-x 1 root root 17324 Nov 13 03:05 pem/
Any real directories are not group/other writable. Only the links
have
the writable attributes.
Are the links what triggers the warning message?
Maybe...
What are the permissions of the directory /etc/postfix/ssl/ ? Note that
if any directory above the symlink or the real directory is
group-writable (or less likely and worse: world-writable) then it is
conceivable that a non-root member of the group could engineer a
replacement for the target directory.
OTOH, it is possible that Postfix is seeing the 777 permissions of the
symlink itself and griping about that. You can solve that with 'chmod
go-w /etc/postfix/./ssl/cacerts'
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
