Re: [Mimedefang] defang running as postfix user
On 12/1/11 7:16 PM, Philip Prindeville wrote: > On 12/1/09 3:20 PM, Matt Garretson wrote: >> Aniruddha Barua wrote: >>> Normally, "mimedefang" is run as user "defang", "postfix" is run as >>> "postfix" and "clamav" is >>> run as user "defang" because it is "mimedefang" that calls "clamav". There >>> may be other ways too. >> >> >> On my systems I just add the clamav user into the defang >> group, and then chmod g+rx /var/spool/MIMEDefang . >> >> (Note that you'll have to do the above chmod every time >> you install/upgrade MIMEdefang, as the Makefile resets >> the permissions on the spool dir.) > > Sorry, couldn't figure out if there was a conclusive answer to this thread. > > I tried to add 'postfix' into the 'defang' group, but that doesn't seem to be > adequate. > > What else needs to be done? > > And I noticed that on Fedora and Centos, the socket itself is 750... not > 640... Execute permission on a socket? > > Does the socket need to be 660? > > -Philip Well, with the directory as 750, and the socket as 660, with postfix in the defang group, I could not get this to work: Dec 1 20:26:05 localhost postfix/smtpd[7743]: warning: connect to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied What's the officially blessed way to make this work on a standard linux distro like Centos or Fedora? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] defang running as postfix user
On 12/1/09 3:20 PM, Matt Garretson wrote: > Aniruddha Barua wrote: >> Normally, "mimedefang" is run as user "defang", "postfix" is run as >> "postfix" and "clamav" is >> run as user "defang" because it is "mimedefang" that calls "clamav". There >> may be other ways too. > > > On my systems I just add the clamav user into the defang > group, and then chmod g+rx /var/spool/MIMEDefang . > > (Note that you'll have to do the above chmod every time > you install/upgrade MIMEdefang, as the Makefile resets > the permissions on the spool dir.) Sorry, couldn't figure out if there was a conclusive answer to this thread. I tried to add 'postfix' into the 'defang' group, but that doesn't seem to be adequate. What else needs to be done? And I noticed that on Fedora and Centos, the socket itself is 750... not 640... Execute permission on a socket? Does the socket need to be 660? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] defang running as postfix user
Aniruddha Barua wrote: > Normally, "mimedefang" is run as user "defang", "postfix" is run as "postfix" > and "clamav" is > run as user "defang" because it is "mimedefang" that calls "clamav". There > may be other ways too. On my systems I just add the clamav user into the defang group, and then chmod g+rx /var/spool/MIMEDefang . (Note that you'll have to do the above chmod every time you install/upgrade MIMEdefang, as the Makefile resets the permissions on the spool dir.) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] defang running as postfix user
hi, I have some little security question regarding mimedefang configuration as i have issue running clamav and postfix with it because of socket owner's right. Do you know if there is any security risk to run defang as the postfix user ? Same question if i run mimedefang as the clamav user ? Normally, "mimedefang" is run as user "defang", "postfix" is run as "postfix" and "clamav" is run as user "defang" because it is "mimedefang" that calls "clamav". There may be other ways too. Depends on your requirements and situation. yes the problem is that for a simple setup we need to: - change the postfix/mimedefang init script to change the owner of the socket - change the clamav config to use defang user and then change the files to be owned by defang and restart them all. I wondered if there was not a better solution. Supplementary group seems to be completly not working in clamav, all tests done lead to suffering and no to filtering , same thing i find no other solution to the postfix "do not run as root" issue with mimedefang socket ;) regards, Ghislain. smime.p7s Description: S/MIME Cryptographic Signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] defang running as postfix user
- Original Message > From: ADNET Ghislain > To: mimedefang@lists.roaringpenguin.com > Sent: Tue, December 1, 2009 8:17:15 PM > Subject: [Mimedefang] defang running as postfix user > > hi, > > I have some little security question regarding mimedefang configuration as i > have issue running clamav and postfix with it because of socket owner's right. > > Do you know if there is any security risk to run defang as the postfix user > ? > Same question if i run mimedefang as the clamav user ? Normally, "mimedefang" is run as user "defang", "postfix" is run as "postfix" and "clamav" is run as user "defang" because it is "mimedefang" that calls "clamav". There may be other ways too. Depends on your requirements and situation. > > regards, > Ghislain. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] defang running as postfix user
hi, I have some little security question regarding mimedefang configuration as i have issue running clamav and postfix with it because of socket owner's right. Do you know if there is any security risk to run defang as the postfix user ? Same question if i run mimedefang as the clamav user ? regards, Ghislain. smime.p7s Description: S/MIME Cryptographic Signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
