On 2019-03-25 1:32 a.m., Viktor Dukhovni wrote:
>> On Mar 24, 2019, at 8:17 PM, Simon Deziel wrote:
>>
>> I was not clear because my issue is indeed with those accesses before
>> privs get dropped. I noticed that tlsproxy accesses tlsmgr's socket
>> while still running as root so it depends on its
Bastian Blank:
> On Mon, Mar 25, 2019 at 01:32:28AM -0400, Viktor Dukhovni wrote:
> > Sorry, that breaks the Postfix internal access control model in unsupported
> > ways. Root needs to be able to read the directory with its standard
> > permissions.
>
> How exactly does "root" get permissions to
On Mon, Mar 25, 2019 at 01:32:28AM -0400, Viktor Dukhovni wrote:
> Sorry, that breaks the Postfix internal access control model in unsupported
> ways. Root needs to be able to read the directory with its standard
> permissions.
How exactly does "root" get permissions to read the directory? It's
> On Mar 24, 2019, at 8:17 PM, Simon Deziel wrote:
>
> I was not clear because my issue is indeed with those accesses before
> privs get dropped. I noticed that tlsproxy accesses tlsmgr's socket
> while still running as root so it depends on its CAP_DAC_READ_SEARCH
> capability. My workaround
On 2019-03-24 5:46 p.m., Wietse Venema wrote:
> Simon Deziel:
>> I can think of 2 ways to workaround this. One is to tell Apparmor to
>> grant the tlsproxy process the needed capability and the other is to
>> have the $queue_directory/private directory perms set to 0710 with the
>> same owner/group
On 2019-03-24 6:02 p.m., Viktor Dukhovni wrote:
>> On Mar 24, 2019, at 4:33 PM, Simon Deziel wrote:
>>
>> I am running postfix (3.3.0-1ubuntu0.2) confined by Apparmor and I
>> noticed the tlsproxy process is apparently trying to connect to tlsmgr's
>> Unix socket while still running as root.
>
>
> On Mar 24, 2019, at 4:33 PM, Simon Deziel wrote:
>
> I am running postfix (3.3.0-1ubuntu0.2) confined by Apparmor and I
> noticed the tlsproxy process is apparently trying to connect to tlsmgr's
> Unix socket while still running as root.
The premise is false. On all the systems I've used, the
Simon Deziel:
> I can think of 2 ways to workaround this. One is to tell Apparmor to
> grant the tlsproxy process the needed capability and the other is to
> have the $queue_directory/private directory perms set to 0710 with the
> same owner/group.
Sorry, changes to Postfix permissions are not sup
Hello,
I am running postfix (3.3.0-1ubuntu0.2) confined by Apparmor and I
noticed the tlsproxy process is apparently trying to connect to tlsmgr's
Unix socket while still running as root.
Since tlsmgr's socket is stored under $queue_directory/private that has
perms set to 0700 and owned by postfi
