Re: alias_maps delivery rights?

2016-03-02 Thread Jack Bates 

On 26/02/16 08:57 AM, Viktor Dukhovni wrote:

On Fri, Feb 26, 2016 at 08:16:43AM -0800, Jack Bates wrote:


Hmmm ... That is what's happening, but why's there no user context?
I expected the first case ("the rights  of the receiving user on whose
behalf the delivery is made") vs. the second ("the absence of a user
context").


Entries in /etc/aliases that happen to have the same name as a user
in /etc/passwd are not presumed to have the privileges of that user
account.  For the latter, you need a ".forward" file belonging to
the user.

Local aliases(5) are processed before user accounts are looked up,
and in many deployments after alias expansion local mail is delivered
via a "mailbox_transport", and no user accounts are involved at all.


Gotcha. Switching from /etc/aliases to a .forward file is working for 
me. In my case it makes no difference that the .forward file is owned by 
the user because the user doesn't have shell access to the server.
If it were an issue, I'm sure there's a more complicated way to keep the 
user from editing the configuration.

Thanks!

Re: alias_maps delivery rights?

2016-02-26 Thread Wietse Venema 
Jack Bates:
> On 25/02/16 08:20 AM, Ralf Hildebrandt wrote:
> > * Ralf Hildebrandt :
> >> * Jack Bates :
> >>> LOCAL(8) DELIVERY RIGHTS says: "Deliveries to external files and
> >>> external commands are made with the rights of the receiving user on
> >>> whose behalf the delivery is made."
> >>>
> >>> So I put "nottheoilrig: /mnt/nottheoilrig/" in /etc/aliases (alias_maps)
> >>> thinking mail for user nottheoilrig would be delivered to
> >>> /mnt/nottheoilrig/ as UID nottheoilrig.
> >>
> >> Who is the owner of /etc/aliases* ?
> >
> >   In the absence of a user context, the local(8) daemon uses the owner
> >   rights of the :include: file or alias database.  When those files are
> >   owned by the superuser, delivery is made with the rights specified
> >   with the default_privs configuration parameter.
> >
> > That's probably what you're seeing.
> > Make a sep. alaias file, make it owned by nottheoilrig and it should
> > work.
> 
> Hmmm ... That is what's happening, but why's there no user context?

When delivering mail to file, the delivery is made on behalf of the
user who controls the decision to deliver to that file, i.e., the
owner of the aliases file.

If Postfix used the privileges of the file owner instead, then
anyone who is allowed to write to a (non-root) aliases would be
able to append mail to /etc/passwd.

Wietse

Re: alias_maps delivery rights?

2016-02-26 Thread Viktor Dukhovni 
On Fri, Feb 26, 2016 at 08:16:43AM -0800, Jack Bates wrote:

> Hmmm ... That is what's happening, but why's there no user context?
> I expected the first case ("the rights  of the receiving user on whose
> behalf the delivery is made") vs. the second ("the absence of a user
> context").

Entries in /etc/aliases that happen to have the same name as a user
in /etc/passwd are not presumed to have the privileges of that user
account.  For the latter, you need a ".forward" file belonging to
the user.

Local aliases(5) are processed before user accounts are looked up,
and in many deployments after alias expansion local mail is delivered
via a "mailbox_transport", and no user accounts are involved at all.

-- 
Viktor.

Re: alias_maps delivery rights?

2016-02-26 Thread Jack Bates 

On 25/02/16 08:20 AM, Ralf Hildebrandt wrote:

* Ralf Hildebrandt :

* Jack Bates :

LOCAL(8) DELIVERY RIGHTS says: "Deliveries to external files and
external commands are made with the rights of the receiving user on
whose behalf the delivery is made."

So I put "nottheoilrig: /mnt/nottheoilrig/" in /etc/aliases (alias_maps)
thinking mail for user nottheoilrig would be delivered to
/mnt/nottheoilrig/ as UID nottheoilrig.


Who is the owner of /etc/aliases* ?


  In the absence of a user context, the local(8) daemon uses the owner
  rights of the :include: file or alias database.  When those files are
  owned by the superuser, delivery is made with the rights specified
  with the default_privs configuration parameter.

That's probably what you're seeing.
Make a sep. alaias file, make it owned by nottheoilrig and it should
work.


Hmmm ... That is what's happening, but why's there no user context?
I expected the first case ("the rights  of the receiving user on whose 
behalf the delivery is made") vs. the second ("the absence of a user 
context").

Re: alias_maps delivery rights?

2016-02-25 Thread Wietse Venema 
Ralf Hildebrandt:
>  In the absence of a user context, the local(8) daemon uses the owner
>  rights of the :include: file or alias database.  When those files are
>  owned by the superuser, delivery is made with the rights specified
>  with the default_privs configuration parameter.
> 
> That's probably what you're seeing.
> Make a sep. alaias file, make it owned by nottheoilrig and it should
> work.

You need to set the ownership (once) for the aliases source file
AND for the .db output file. After that, postalias/newaliases will
work as follows: if invoked by root, it drops privileges to the
owner of the aliases source file. If invoked by any other user, it
will run as that user.

Wietse

Re: alias_maps delivery rights?

2016-02-25 Thread Ralf Hildebrandt 
* Ralf Hildebrandt :
> * Jack Bates :
> > LOCAL(8) DELIVERY RIGHTS says: "Deliveries to external files and 
> > external commands are made with the rights of the receiving user on 
> > whose behalf the delivery is made."
> > 
> > So I put "nottheoilrig: /mnt/nottheoilrig/" in /etc/aliases (alias_maps) 
> > thinking mail for user nottheoilrig would be delivered to 
> > /mnt/nottheoilrig/ as UID nottheoilrig.
> 
> Who is the owner of /etc/aliases* ?

 In the absence of a user context, the local(8) daemon uses the owner
 rights of the :include: file or alias database.  When those files are
 owned by the superuser, delivery is made with the rights specified
 with the default_privs configuration parameter.

That's probably what you're seeing.
Make a sep. alaias file, make it owned by nottheoilrig and it should
work.

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: alias_maps delivery rights?

2016-02-25 Thread Ralf Hildebrandt 
* Jack Bates :
> LOCAL(8) DELIVERY RIGHTS says: "Deliveries to external files and 
> external commands are made with the rights of the receiving user on 
> whose behalf the delivery is made."
> 
> So I put "nottheoilrig: /mnt/nottheoilrig/" in /etc/aliases (alias_maps) 
> thinking mail for user nottheoilrig would be delivered to 
> /mnt/nottheoilrig/ as UID nottheoilrig.

Who is the owner of /etc/aliases* ?

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

alias_maps delivery rights?

2016-02-25 Thread Jack Bates 
LOCAL(8) DELIVERY RIGHTS says: "Deliveries to external files and 
external commands are made with the rights of the receiving user on 
whose behalf the delivery is made."


So I put "nottheoilrig: /mnt/nottheoilrig/" in /etc/aliases (alias_maps) 
thinking mail for user nottheoilrig would be delivered to 
/mnt/nottheoilrig/ as UID nottheoilrig.


In fact it's being delivered to /mnt/nottheoilrig/ as UID nobody (65534):

> warning: maildir access problem for UID/GID=65534/65534: create
> maildir file /mnt/nottheoilrig/tmp/1456342242.P27921.ip-10-0-0-214:
> Permission denied

What am I missing? Thanks!