On Tue, Sep 28, 2021 at 08:42:11PM -0400, Jason Pyeron wrote:
> Right - which is why I am asking about using 0666 vs 0600? This is not
> restrictive.
>
> In v3.6.2:
> postfix/src/util/unix_listen.c:96: if (fchmod(sock, 0666) < 0)
> postfix/src/util/unix_listen.c:99: if (chmod(addr, 0666) < 0)
>
> Which OS does postfix not work on if it is restricted to 0600 or 0660 ?
It's best to not go OCD over the socket permissions, they are correct as
they stand. Some of the setgid commands like postqueue(1) and
postdrop(1) rely on group "x" access to the "public" directory to then
have access to the relevant sockets:
drwx--x--- 2 postfix postdrop 8 Sep 27 13:25 /var/spool/postfix/public
# ls -l /var/spool/postfix/public
total 6
srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 cleanup
srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 flush
srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 pickup
srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 postlog
srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 qmgr
srw-rw-rw- 1 postfix maildrop 0 Sep 27 13:25 showq
With 0600, users other than "root" or "postfix" can't run "mailq",
or notify the pickup(8) service that there's a new message in the
"maildrop" directory.
Postfix has been running correctly since ~1997 with the socket
permissions as you see them, best to spend time chasing something more
useful.
--
Viktor.
