On Thu, Jan 27, 2022 at 02:18:23PM -0500, Brian J. Murrell wrote:
> I have a Postfix postfix-3.5.8 installation on EL8 which I just
> recently upgraded from 2.10.1 on EL7.
>
> The installation is configured to authenticate with GSSAPI and
> accordingly has:
>
> import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab
It is unfortunate that Postfix does not support "+=" main.cf settings
that augment the default value of a given parameter. In the case
of "import_environment" you really need to retain most of the
default imports:
import_environment =
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME
# These are optional
XAUTHORITY DISPLAY
> But now on postfix-3.5.8, smtpd seems to be ignoring the
> "KRB5_KTNAME=/etc/postfix/smtp.keytab" environment setting and is
> trying to use the default /etc/krb5.keytab as is reported by strace'ing
> the smtpd process:
Perhaps your Kerberos (GSSAPI via SASL?) library is ignoring environment
variables in processes that change uids (smtpd starts as root and then
drops privs). Of course that makes sense for a setuid process, but not
so much for a proces that starts as root... The Fedora 31
secure_getenv(3) manpage says:
The GNU-specific secure_getenv() function is just like getenv()
except that it returns NULL in cases where "secure exe‐ cution"
is required. Secure execution is required if one of the
following conditions was true when the program run by the calling
process was loaded:
* the process's effective user ID did not match its real user ID
or the process's effective group ID did not match its real
group ID (typically this is the result of executing a
set-user-ID or set-group-ID program);
* the effective capability bit was set on the executable file; or
* the process has a nonempty permitted capability set.
Secure execution may also be required if triggered by some Linux
security modules.
which should not break smtpd(8), but perhaps something changed in
later versions?
> Any ideas why this would have been working on 2.10.1 but is now not
> working on 3.5.8?
You'll need to try a test program that starts as root, then changes
uid to (e.g.) "postfix", and see whether "secure_getenv()" reports
the expected environment variables.
The most likely reasons for changes are in Cyrus SASL, not Postfix,
which does not directly do anything with Kerberos.
--
Viktor.
