> On Mar 24, 2019, at 8:17 PM, Simon Deziel <si...@sdeziel.info> wrote:
>
> I was not clear because my issue is indeed with those accesses before
> privs get dropped. I noticed that tlsproxy accesses tlsmgr's socket
> while still running as root so it depends on its CAP_DAC_READ_SEARCH
> capability. My workaround to not need that cap was to change the perms
> to be like:
>
> $ ls -ld /var/spool/postfix/private/
> drwx--x--- 2 postfix root 4096 Mar 24 16:54 /var/spool/postfix/private/
>
> And with that group search bit on, the tlsproxy process no longer
> depends on the CAP_DAC_READ_SEARCH cap to get to tlsmgr's socket.
>
> In other words, this group search bit allows to _not_ depend on the
> CAP_DAC_READ_SEARCH which sounded like an improvement to me. That's what
> I wanted to validate with the mailing list.
Sorry, that breaks the Postfix internal access control model in unsupported
ways. Root needs to be able to read the directory with its standard
permissions.
--
Viktor.
