On Sat, Dec 21, 2024 at 08:35:29PM +0300, Michael Tokarev via Postfix-users
wrote:
> 21.12.2024 20:15, Michael Tokarev via Postfix-users wrote:
>
> > plus a few other workarounds for lack of cap-dac-override.
>
> It looks like it's hardly possible to get away from cap_dac_override,
> because it is relied on in a number of other places. Currently postfix
> happily opens non-root-owned maps before chroot_uid() - and these maps
> can reside in protected non-root-owned dirs. That will break with no
> cap_dac_override obviously.
This is quite deliberate (a design feature), pipe aliases in non-root
owned aliases databases run with the priviliges of the alias file owner.
I suggest you take a break from high-volume extemporising, and come
back with narrow, carefully thought out issues or questions tackled
one at a time to a conclusion, with some breaks in between.
I am sceptical that the current process is getting anywhere.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
