Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

owner/mode of dynamicmaps.cf (a bit OT)

272 views
Skip to first unread message

Ralf Hildebrandt

unread,
May 8, 2011, 6:33:06 PM5/8/11
to
/etc/postfix/dynamicmaps.cf as provided by Ubuntu/Debian is:

-rw-r--r-- 1 root root 318 2011-04-22 15:04 /etc/postfix/dynamicmaps.cf

by default. Which programs are using it and when? Before dropping
privileges? After? Does /usr/sbin/sendmail use it?

Yeah, I know. It's a patch.

Just asking if 644 is the ultima ratio or if (under special
circumstances) something like mode 640, user root, group postfix might
work as well.
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hil...@charite.de | http://www.charite.de

Wietse Venema

unread,
May 8, 2011, 8:04:52 PM5/8/11
to
Ralf Hildebrandt:

> /etc/postfix/dynamicmaps.cf as provided by Ubuntu/Debian is:
>
> -rw-r--r-- 1 root root 318 2011-04-22 15:04 /etc/postfix/dynamicmaps.cf
>
> by default. Which programs are using it and when? Before dropping
> privileges? After? Does /usr/sbin/sendmail use it?
>
> Yeah, I know. It's a patch.

/etc/postfix and everything under it must be owned by root and not
writable by anyone else.

dynamicmaps.cf is from Lamont Jones's Debian feature that allows
support for LDAP, *SQL etc. to be added without recompiling Postfix.
However, not all the world is Debian.

As for run-time privileges, Postfix daemons open tables before
dropping privileges.

Postfix commands such as postmap open tables with the privileges
of the user itself (if invoked by root, postmap may decide that
root privileges are too powerful, for example, when a table is
owned by a non-root user).

> Just asking if 644 is the ultima ratio or if (under special
> circumstances) something like mode 640, user root, group postfix might
> work as well.

This file contains no secrets, unless you have put some secret
in the comments.

Wietse

Ralf Hildebrandt

unread,
May 8, 2011, 8:10:04 PM5/8/11
to
* Wietse Venema <wie...@porcupine.org>:

> This file contains no secrets, unless you have put some secret
> in the comments.

I was also wondering why somebody would want to somehow hide the
contents.

Michael Tokarev

unread,
May 9, 2011, 6:35:00 AM5/9/11
to
08.05.2011 22:33, Ralf Hildebrandt wrote:
> /etc/postfix/dynamicmaps.cf as provided by Ubuntu/Debian is:
>
> -rw-r--r-- 1 root root 318 2011-04-22 15:04 /etc/postfix/dynamicmaps.cf
>
> by default. Which programs are using it and when? Before dropping
> privileges? After? Does /usr/sbin/sendmail use it?

Every postfix program that deals with maps/dictionaries uses
this file. Since all dicts are open as root, it's used before
dropping privileges.

> Yeah, I know. It's a patch.
>

> Just asking if 644 is the ultima ratio or if (under special
> circumstances) something like mode 640, user root, group postfix might
> work as well.

And immediately after that, postfix-start will complain about
wrong permissions of a file in /etc/postfix/.

No, dynamicmaps.cf is very like main.cf or master.cf files.

What special cirsumstances you're talking about?

Thanks,

/mjt

Victor Duchovni

unread,
May 9, 2011, 2:46:11 PM5/9/11
to
On Sun, May 08, 2011 at 10:10:04PM +0200, Ralf Hildebrandt wrote:

> > This file contains no secrets, unless you have put some secret
> > in the comments.
>
> I was also wondering why somebody would want to somehow hide the
> contents.

Unlikely, since postdrop/postqueue don't run as root, and potentially
use tables, I would expect these to break if the list of dynamically
loadable tables is not world-readable.

--
Viktor.

0 new messages