Hi, > > I'm working on a front-end to modify our main.cf and other config > > files, such as the transport and relay_recips file > > Hmm... A front-end? Should we assume this is a web UI frontend? > Because although most of us use $EDITOR for those files the official > frontend is "postconf" for it. If you have to ask then you should > definitely use postconf to edit those files.
Yes, it's a web front-end, using apache and php-fpm. > Should we assume that you are writing a web UI. The web UI is running > as the www-data user. It's written in Wordpress or another popular > PHP framework. This framework itself is likely one that has deep > security vulnerabilities posted every other week. You would like to > make the files owned by www-data so that the web UI can edit those > files directly. But Postfix then is warning about the situation. Is > this what we should assume? It's written using laravel and PHP. > Note that just because a process does not run as a root priviledge > process does not mean that it is more secure than one that does. > Security is composed of the entire system of layers all working > together. Pulling a very small piece of something out of context and > focusing on it with the microscope loses the context of the > environment in which it exists. Yes, understood. > > Perhaps passwordless sudo with the explicit ability to act on these > > files and reload/restart postfix? > > Quoting Zathros, "Cannot say. Saying, I would know. Do not know, so > cannot say." It all depends upon your use of sudo. One can't say it > won't be secure. The devil is in the details. I figured that if main.cf was owned by root and group writable, the regular user would be able to edit it, then use sudo to reload/restart when necessary. Apache is running as user "apache" while the php-fpm user is "developer". The developer account is not in the same group as the apache user. This is the age-old problem with having a web-based application.
