David Roe via Postfix-users:
> I was doing some work with postfix logrotation as part of a recent
> project and ran across what seems to be unintended behavior.
>
> When running postfix logrotate the maillog_file is created with
> 600 permissions which was tripping up a log tail system of ours.
> I'm working on the log tailer, but looking through the source it
> appears the maillog_file is intended to have 0644 permissions
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/logwriter.c#L85
The (safe_)open call specifies permissions of 0644, but this is
modified by the postlogd process umask setting (077 as inherited
from the master daemon), so the effective permissions are 0600.
Sorry, this is the result of an inconsistency.
- When the logfile is first created with "postfix start" or "postfix
reload" it has mode 0644 because the postlog command runs with
umask 022. This logfile mode 0644 is only the initial state.
- Every time the logfile is rotated, it is recreated with mode 0600
because the postlogd daemon runs with umask 077. This logfile
mode 0600 is the long-term state.
I'm reluctant to change the "long-term state" permissions, because
sites may have come to rely on the files not being world-readable.
In other words, hard-coding the postlogd daemon's umask as 022 is not
a good fix.
I'll fix this first in Postfix 3.9. Back-port to older versions
may not be feasible if the solution requires too much change.
> I've got ways around this situation, but this seemed like unintended
> behavior so figured I'd bring it up
Thanks for spotting this.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
