Re: virtual permissions and virtual_gid_maps problems

Tue, 30 Nov 2010 18:48:34 -0800 

On Tue, Nov 30, 2010 at 07:39:39PM -0600, Dan wrote:

> virtual_gid_maps = mysql:$config_directory/mysql_gids.cf
> virtual_minimum_uid = 2002
> virtual_uid_maps = mysql:$config_directory/mysql_uids.cf
>
> Mysql relevant table entries:
>
>  email                   domain       maildir
> [email protected]          test2.com   test2.com/test2/Maildir/
>
>  uid  gid
> 2003  2001

And in /etc/group, what is group 2001?

> Now lets chmod 777 /website/vuser so that it can create directories under
> UID/GID=2003/2001 as it wants but in fact see that gid never is 2001.
> Gid 2001 under my system is vuser:
> sunsaturn:~# grep 2001 /etc/group
> vuser:*:2001:

Prove this by posting the output of:

        # tmp=$(mktemp /tmp/test.XXXXXX)
        # chown 2003:2001 "$tmp"
        # ls -l "$tmp"
        # rm "$tmp"

> sunsaturn:~# chmod 777 /website/vuser; cd /website/vuser

Never use world-writable directories in this context.

> Nov 30 19:28:03 sunsaturn postfix/virtual[23237]: DC276119C60: 
> to=<[email protected]>, relay=virtual, delay=0.01, delays=0.01/0/0/0, 
> dsn=2.0.0, status=sent (delivered to maildir)
> Nov 30 19:29:03 sunsaturn postfix/virtual[23237]: 3EA8C119C56: 
> to=<[email protected]>, relay=virtual, delay=372, delays=372/0/0/0, 
> dsn=2.0.0, status=sent (delivered to maildir)

> -rw-------  1 2003  postfix  347 Nov 30 19:28 
> test2.com/test2/Maildir/new/1291166883.V59Ib97008M906598.sunsaturn.com
> -rw-------  1 2003  postfix  347 Nov 30 19:29 
> test2.com/test2/Maildir/new/1291166943.V59Ib97001M911353.sunsaturn.com

Well Postfix asks the operating system nicely by setting its effective
uid and gid. If the operating system does not cooperate, you need to
find out why.

src/virtual/mailbox.c:deliver_mailbox():

    /* Look up the mailbox owner rights. Defer in case of trouble.  */
    uid_res = mail_addr_find(virtual_uid_maps, state.msg_attr.user,
                             IGNORE_EXTENSION);
    if (uid_res == 0) { /* error handling */  }
    if ((n = atol(uid_res)) < var_virt_minimum_uid) { /* error handling */  }
    usr_attr.uid = (uid_t) n;

    /* Look up the mailbox group rights. Defer in case of trouble.  */
    gid_res = mail_addr_find(virtual_gid_maps, state.msg_attr.user,
                             IGNORE_EXTENSION);
    if (gid_res == 0) { /* error handling */ }
    if ((n = atol(gid_res)) <= 0) { /* error handling */ }
    usr_attr.gid = (gid_t) n;

    if (msg_verbose)
        msg_info("%s[%d]: set user_attr: %s, uid = %u, gid = %u",
                 myname, state.level, usr_attr.mailbox,
                 (unsigned) usr_attr.uid, (unsigned) usr_attr.gid);

You can configure "virtual -v" in master.cf to see the uid/gid logged.

    /* Deliver to mailbox or to maildir. */
#define LAST_CHAR(s) (s[strlen(s) - 1])

    if (LAST_CHAR(usr_attr.mailbox) == '/')
        *statusp = deliver_maildir(state, usr_attr);
    else
        *statusp = deliver_mailbox_file(state, usr_attr);

src/virtual/mailbox.c:deliver_maildir():

    set_eugid(usr_attr.uid, usr_attr.gid);

    /* Creates files, writes data, ... */

    set_eugid(var_owner_uid, var_owner_gid);

-- 
        Viktor.

Reply via email to