Re: reinjection via unix socket

Wed, 20 Jul 2011 02:59:31 -0700 

Hello Victor,

Am Tue, 19 Jul 2011 11:37:56 -0400
Victor Duchovni <victor.ducho...@morganstanley.com> schrieb:
> On Tue, Jul 19, 2011 at 05:02:34PM +0200, Lars T??uber wrote:
> 
> > The unix socket can't be used by other users than root or postfix.
> > Is there a way to configure ownership and/or permissions for the socket?
> 
> No, the parent directory: $queue_directory/private, must be protected
> from users other than "postfix" (or "root").
> 
> > I thought under Linux the filesystem permissions reflect the permissions
> > to the unix socket.
> 
> The entire path to the unix socket, including parent directories.
> 
> $ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
> drwx------  2 postfix root     4096 Jun  7 17:59 /var/spool/postfix/private/
> drwx--x---  2 postfix postdrop 4096 Jun  7 17:59 /var/spool/postfix/public/
> 
> > Am I doing something wrong?
> 
> To run an smtpd in a less restricted directory, you need to place the
> socket in a new location. You can create
> 
>       /var/spool/postfix/world
> 
> owner postfix, mode 0755, and in master.cf use:
> 
>       ../world/sname  unix ...
> 
> instead of 
> 
>       sname   unix ...

thanks for this hint.

I try your approach but have connection problems.

This is what I did:
$ ls -ld /var/spool/postfix/dspam/
drwx-ws--T 2 postfix dspam 4096 2011-07-20 11:27 /var/spool/postfix/dspam/

$ ls -l /var/spool/postfix/dspam/
total 0
srw-rw-rw- 1 postfix dspam 0 2011-07-20 11:26 backdoor
srwxrwxrwx 1 dspam   dspam 0 2011-07-20 11:27 filter

master.cf:
../dspam/backdoor
          unix  n       -       n       -       3       smtpd
[...]

Now it is possible to talk to the dspam filter:
# sudo -u postfix /usr/bin/socat -
# UNIX-CONNECT:/var/spool/postfix/dspam/filter 
220 DSPAM LMTP 3.6.8 Ready
quit
221 2.0.0 OK


But I don't get any answer from the postfix backdoor:
# sudo -u dspam /usr/bin/socat - UNIX-CONNECT:/var/spool/postfix/dspam/backdoor 
sdfdsds
s
^C

Any more things to consider?

> with this any user will be able to access the socket. Of course at that
> point, why not just use "inet" instead with a loopback address?

I try to avoid the usage of AF_INET-sockets because of CPU and traffic overhead.

Lars

Reply via email to