Hello,
Running Postfix 3.3.1 under Linux, postfix-script produces pointless
warnings if/when there are symbolic links in or below $config_directory.
1. I installed (CA root) certificates in a subdir of /etc/postfix and
rehash with "openssl rehash <subdir>. This will of course create a
symlink to each certificate.
But to reproduce, any symlink in (a subdir of) /etc/postfix will do.
Now restart Postfix, since you can't run "postfix-script check-warn"
directly.
For each symlink, a warning is written in the log, like this:
postfix/postfix-script[23592]: warning: group or other writable:
/etc/postfix/./tls/CAcerts/02265526.0
This should not happen, as the permissions of symbolic links are
irrelevant on Linux. They are never used, it is those of the pointed-to
file that count.
See "man 1 chmod" or - if you have it installed - "man 7 symlink".
Of course, these "bogus" warnings do not really hurt, but they do
clutter the logs and thereby obscure the real thing.
The following (very) simple patch to postfix-script 3.3.1 takes care of
them :
====================
@@ -302,7 +302,7 @@
find $todo ! -user root \
-exec $WARN not owned by root: {} \;
- find $todo \( -perm -020 -o -perm -002 \) \
+ find -L $todo \( -perm -020 -o -perm -002 \) \
-exec $WARN group or other writable: {} \;
# Check Postfix mail_owner-owned directory tree owner/permissions.
====================
I suppose the -L parameter could be added to the other occurrences of
"find", but I didn't bother with that.
2. As an aside, it would be cool if those warnings could give the real
name of the offending file. That is, instead of:
/etc/postfix/./tls/CAcerts/....
it really should be:
/etc/postfix/tls/CAcerts/....
But that is a cosmetic issue only.
NB: my copy of "find" is from an older findutils 4.5.11 package, current
seems to be 4.6.0.
3. What is maybe more important, that is that there were no such
warnings about the symlinks in the chroot jail.
Yet I did copy all the certificates from that CAcerts dir over into its
jail counterpart, and rehashed there as well. So I would have expected
the same bogus warnings about the symlinks in there.
However, the postfix-script doesn't seem to check (all) the subdirs of
the $queue_directory for owner- and permission-related issues. It just
looks at /var/spool/postfix/pip.
Maybe it should check the others as well? Or at least
"/var/spool/postfix/etc/postfix" ?
Luc
