postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Extra permissions restrictions with pipe comm

Re: Extra permissions restrictions with pipe commands?

From: Jeroen Geilman <jeroen_at_nospam>
Date: Fri Oct 15 2010 - 21:20:39 GMT

On 10/15/2010 06:22 PM, Andy Theuninck wrote:
> I'm trying to write a python script that accepts input from pipe. I'm
> encountering permission issues that I don't understand.
> According to postfix's configuration, pipe commands are run as
> nobody:nobody.

The documentation doesn't say this /anywhere/.

pipe(8) executes as the user specified in the "user=" argument.

> Logging from my script to /tmp agrees confirms this is the case.

Then you are trying to run it as root. postfix won't allow you to do that.

> When my script is called by postfix, I get permission errors when
> writing certain file locations. If I run the same script as
> nobody:nobody via sudo, those errors do not occur.

That doesn't make any sense.

> I am not using chroot for any part of postfix. It seems like some kind
> of group restriction is being layered on top. Through experimentation
> I've found my script, when called by postfix and running as
> nobody:nobody:
> 1. Can write to locations that are writable by all users.
As expected.
> 2. Can write to locations that are owner-writable and owned by nobody
As expected.
> 3. Can write to locations that are group-writable and are set to group nobody.
As expected.
> 4. Cannot write to locations that are group-writable and set to some
> other group - even if the user nobody is part of the relevant group.
As expected.
> I don't see anything in pipe's man page indicating this restriction,

I quote:

               Execute the external command with the user ID and
               group ID of the specified/username/._/*The software
*/_/* */_/* refuses to execute commands with root privileges,
*/_/* */_/* or with the privileges of the mail system owner.*/_ If
               /groupname/ is specified, the corresponding group ID
               is used instead of the group ID of/username/.

Emphasis mine.

And just in case you're using local(8) with external command delivery

        Deliveries to external files and external commands are
        made with the rights of the receiving user on whose behalf
        the delivery is made.

Never, not in any conceivable situation, does postfix execute external
commands as nobody:nobody - unless you're trying to execute as root, and
default_privs is actually SET to nobody:nobody.

Again, as expected.

-- J.