postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Extra permissions restrictions with pipe commands

Extra permissions restrictions with pipe commands?

From: Andy Theuninck <gohanman_at_nospam>
Date: Fri Oct 15 2010 - 16:22:34 GMT
To: postfix-users@postfix.org

I'm trying to write a python script that accepts input from pipe. I'm
encountering permission issues that I don't understand.

According to postfix's configuration, pipe commands are run as
nobody:nobody. Logging from my script to /tmp agrees confirms this is
the case.

When my script is called by postfix, I get permission errors when
writing certain file locations. If I run the same script as
nobody:nobody via sudo, those errors do not occur.

I am not using chroot for any part of postfix. It seems like some kind
of group restriction is being layered on top. Through experimentation
I've found my script, when called by postfix and running as
nobody:nobody:
1. Can write to locations that are writable by all users.
2. Can write to locations that are owner-writable and owned by nobody.
3. Can write to locations that are group-writable and are set to group nobody.
4. Cannot write to locations that are group-writable and set to some
other group - even if the user nobody is part of the relevant group.

I don't see anything in pipe's man page indicating this restriction,
but since the problem occurs only when the script is run via postfix
it seems like the obvious culprit.