svinther:
> Im using local to invoke a piped command with an alias like:
>
> http_forward: "|/usr/local/bin/..."
>
> from inside that bash script I try to log with systemd-cat but this results
> in "Failed to create stream fd: Permission denied"
As documented, commands in root-owned aliases files are executed
with the privileges of the $default_privs user (normally, that is
the nobody user). It can't be root and it can't be postfix.
DELIVERY RIGHTS
Deliveries to external files and external commands are made with the
rights of the receiving user on whose behalf the delivery is made. In
the absence of a user context, the local(8) daemon uses the owner
rights of the :include: file or alias database. When those files are
owned by the superuser, delivery is made with the rights specified with
the default_privs configuration parameter.
If you want to execute this with different privileges, create an account
with a .forward file and place the command in that file.
> I have tried to use postlog instead, but it just dont emit anything to
> journal
As documented, postlog uses the syslog API by default. Just like
the rest of Postfix, it is blisfully unaware of the blessings from
system-effing-d.
> invoking postlog from the shell works fine, e.g "sudo runuser -u nobody --
> /usr/sbin/postlog -t sometag <<< somemsg"
>
> Whats going on here ?
Generally, Postfix is not the place to learn about UNIX permission
models. That is considered a prerequisite.
Wietse
