postfix permission check reads link mode rather its target

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

postfix permission check reads link mode rather its target

postfix-6

In main.cf I have

smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.pem

The permissions on these files are 400 (probably far more restrictive than necessary). Since a cron scripts generates these files monthly, I use a symlink to a subdir to avoid cluttering /etc/postfix:

# ls -l dh*
lrwxrwxrwx 1 root root   20 Mar  5 20:14 dh1536.pem -> dh/dh1536.pem.201703
lrwxrwxrwx 1 root root   13 Mar  5 21:21 dh4096.pem -> dh/dh4096.pem

dh:
total 24
drwxr-x--- 2 root root 4096 Mar  5 20:15 .
drwxr-xr-x 4 root root 4096 Mar  5 21:21 ..
-r-------- 1 root root  335 Mar  5 20:13 dh1536.pem.201703
-r-------- 1 root root  335 Mar  5 20:14 dh1536.pem.201704
-r-------- 1 root root  769 Mar  1 22:20 dh4096.pem.201703
-r-------- 1 root root  769 Mar  3 17:24 dh4096.pem.201704

and yet

# postfix check
postfix/postfix-script: warning: group or other writable: /usr/local/etc/postfix/./dh1536.pem
postfix/postfix-script: warning: group or other writable: /usr/local/etc/postfix/./dh4096.pem

so it appears that postfix is reading the symlink  mode rather than the mode of its target (i.e. it is doing lstat instead of stat).

-Earl

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix permission check reads link mode rather its target

Wietse Venema
Earl Killian:

> In main.cf I have
>
> smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.pem
>
> The permissions on these files are 400 (probably far more restrictive
> than necessary). Since a cron scripts generates these files monthly, I
> use a symlink to a subdir to avoid cluttering /etc/postfix:
>
> # ls -l dh*
> lrwxrwxrwx 1 root root   20 Mar  5 20:14 dh1536.pem -> dh/dh1536.pem.201703
> lrwxrwxrwx 1 root root   13 Mar  5 21:21 dh4096.pem -> dh/dh4096.pem

Symlinks are not supported, because they usually point out
of the (secure) postfix config directory to some random place.

Why not use hard links, or use rsync to replace files?

(do not ask me to add bash-specific syntax or new dependencies to
the postfix-script file).

        Wietse
Loading...