Re: Extra permissions restrictions with pipe commands?

Fri, 15 Oct 2010 14:21:15 -0700 

On 10/15/2010 06:22 PM, Andy Theuninck wrote:

I'm trying to write a python script that accepts input from pipe. I'm
encountering permission issues that I don't understand.

According to postfix's configuration, pipe commands are run as
nobody:nobody.


The documentation doesn't say this /anywhere/.

pipe(8) executes as the user specified in the "user=" argument.


Logging from my script to /tmp agrees confirms this is the case.


Then you are trying to run it as root. postfix won't allow you to do that.


When my script is called by postfix, I get permission errors when
writing certain file locations. If I run the same script as
nobody:nobody via sudo, those errors do not occur.


That doesn't make any sense.


I am not using chroot for any part of postfix. It seems like some kind
of group restriction is being layered on top. Through experimentation
I've found my script, when called by postfix and running as
nobody:nobody:
1. Can write to locations that are writable by all users.

As expected.

2. Can write to locations that are owner-writable and owned by nobody

As expected.

3. Can write to locations that are group-writable and are set to group nobody.

As expected.

4. Cannot write to locations that are group-writable and set to some
other group - even if the user nobody is part of the relevant group.

As expected.

I don't see anything in pipe's man page indicating this restriction,


I quote:

*user*=/username/:/groupname/
              Execute  the  external command with the user ID and
              group ID of the specified/username/._/*The  software
*/_/*              */_/*  refuses  to  execute commands with root privileges,
*/_/*              */_/*  or with the privileges of the mail system owner.*/_  
If
              /groupname/   is specified, the corresponding group ID
              is used instead of the group ID of/username/.


Emphasis mine.
And just in case you're using local(8) with external command delivery instead: 

*DELIVERY RIGHTS*
       Deliveries  to  external  files  and external commands are
       made with the rights of the receiving user on whose behalf
       the  delivery  is made.
Never, not in any conceivable situation, does postfix execute external commands as nobody:nobody - unless you're trying to execute as root, and default_privs is actually SET to nobody:nobody. 

Again, as expected.

--
J.

Reply via email to