> -----Original Message----- > From: Viktor Dukhovni > Sent: Tuesday, September 28, 2021 10:16 PM > > On Tue, Sep 28, 2021 at 08:42:11PM -0400, Jason Pyeron wrote: > > > Right - which is why I am asking about using 0666 vs 0600? This is not > > restrictive. > > > > In v3.6.2: > > postfix/src/util/unix_listen.c:96: if (fchmod(sock, 0666) < 0) > > postfix/src/util/unix_listen.c:99: if (chmod(addr, 0666) < 0) > > > > Which OS does postfix not work on if it is restricted to 0600 or 0660 ? > > It's best to not go OCD over the socket permissions, they are correct as > they stand. Some of the setgid commands like postqueue(1) and > postdrop(1) rely on group "x" access to the "public" directory to then > have access to the relevant sockets: > > drwx--x--- 2 postfix postdrop 8 Sep 27 13:25 /var/spool/postfix/public > > # ls -l /var/spool/postfix/public > total 6 > srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 cleanup > srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 flush > srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 pickup > srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 postlog > srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 qmgr > srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 showq > > With 0600, users other than "root" or "postfix" can't run "mailq", > or notify the pickup(8) service that there's a new message in the > "maildrop" directory. >
That makes sense. The patch I inherited for my system changed it to 0600 - along with other related chown actions. I will look into reverting the patch based on the above. v/r, Jason Pyeron
