On Wed, Oct 28, 2020 at 10:13:23AM -0700, PGNet Dev wrote:
> > For reference, on my system:
> >
> > $ postconf setgid_group
> > setgid_group = maildrop
> > $ ls -ld /var/spool/postfix/maildrop
> > drwx-wx--- 2 postfix maildrop 2 Oct 28 12:52
> > /var/spool/postfix/maildrop
> > $ ls -l /usr/local/sbin/postdrop
> > -rwxr-sr-x 1 root maildrop 41656 Oct 25 03:44
> > /usr/local/sbin/postdrop
>
> here (fwiw, this is Fedora32-packaged Postfix et al), minor diff
>
> postconf setgid_group
> !! setgid_group = postdrop
The specific group name is not important. It just has to be the
same group for the executable and the directory.
> ls -ld /var/spool/postfix/maildrop
> drwx-wx--- 2 postfix postdrop 4.0K Oct 28 08:45
> /var/spool/postfix/maildrop/
>
> ls -l `which postdrop`
> -rwxr-sr-x 1 root postdrop 25K Aug 31 02:52 /usr/sbin/postdrop*
These look OK.
> as set by a relatively new install -- i.e., _not_ manually by me,
>
> ls -ald / /var /var/spool /var/spool/postfix
>
> dr-xr-xr-x. 22 root root 4.0K Sep 6 10:59 //
> drwxr-xr-x. 21 root root 4.0K Oct 27 20:36 /var/
> drwxr-xr-x 14 root root 4.0K Oct 25 19:05 /var/spool/
> drwxr-xr-x 16 root root 4.0K Aug 31 02:52 /var/spool/postfix/
That "x." suggests some extended POSIX ACLs on / and /var, but they're
likely OK. You can double-check these.
Otherwise, you can check that no kernel settings disable setgid
execution.
> so far, on this install, 'everything works' ... except for the
> eventual/random appearance of those^ complaints.
You'll need to figure why the EPERM happens. Postfix is just
the messenger.
--
Viktor.
