Am 17.08.2016 um 07:25 schrieb Jeremy Volkening <[email protected]>:
>>> >>> As an update to this - it works if I set "mail_auth" as the <primary> group >>> of the opensmtpd user (rather than a secondary group). Not sure if this is >>> a feature or a bug but I'll file something over on the github project page. >>> In any case I consider this an acceptable fix to allow opensmtpd and >>> dovecot to share the file. >> Was dovecot able to use the file without g=r for you? It doesn't for me? > > My conclusions on this issue: > > It seems on Linux that a process started as a user by another user (as done > by opensmptd and dovecot to drop permissions to a non-privileged user) > inherits by default only that user's primary group. Secondary groups (e.g. as > defined in /etc/groups) are not inherited unless explicitly done so (see "man > initgroups"). This isn't something I've dealt with before and didn't really > understand. > > The short of it is that to share the passwd file, either: > > 1. The file must be world-readable (not so good) > > 2. The opensmtpd and dovecot daemon users must share a primary group, or > > 3. The daemons must call initgroups() or something similar after dropping > privileges. 4. The daemon reads the file before it drops privileges? Though would miss updates later... 5. ... I'm sure there are further solutions to this. Can you please open a bug report on github for this? Thanks! > I've decided on option #2 as a current solution. > > Jeremy > > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
