> > Perhaps passwordless sudo with the explicit ability to act on these > > files and reload/restart postfix? Is it okay to create a backup > > directory in /etc/postfix that's owned by this script user? > > I wonder what changes you need to make so frequently. Whatever they are, stop > and reconsider. There is no scenario where allowing users to alter your mail > config could be considered secure.
I still have to consider much of what you've written before I can respond, but I wanted to be sure my design was clear here - it's not so much that end-users are modifying the config in the same way as webmin does, like making changes directly to main.cf, but type in the name of a new domain to be added to relay_domains, for example. The script then then modifies main.cf to apply that change. I'm certainly not minimizing the risk - that's exactly why I'm posting here, but I'm hoping I can mitigate the most obvious problems and continue to make it more secure. > ¹ I am not specifically recommending webmin, I do not run it and I wold not > run it as I prefer accessing my server via ssh with a key exchange which can > only be duplicated if someone gets my private key file off my home machine, > or if someone can login to the console on-site as me. That's exactly how I've been doing it for decades now as well (I'm still no expert), but I'm hoping to create something that makes it easier for our local admins and perhaps others in the future.
