fix: Drop special bits from Postfix maildrop/ and public/ directory permissions (#3625)

* update K8s deployment

Because `allowPrivilegeEscalation` controls SUID/SGID, we require it
when postdrop is invoked.

* correct permissions for maildrop/public

The reason our permissions previously worked out as that in setups where
SUID/SGID worked, the binaries used to place files in these directories
already have SGID set; the current set of permissions makes less sense
(as explained in this comment:
https://github.com/docker-mailserver/docker-mailserver/issues/3619#issuecomment-1793816412)

Since the binaries used to place files inside these directories alredy
have SUID/SGID set, we do not require these bits (or the sticky bit) to
be set on the directories.

* Apply suggestions from code review

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
Georg Lauterbach 2023-11-10 19:57:17 +01:00 committed by GitHub
parent 0703e01492
commit 26214491ef
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 5 deletions

View file

@ -190,7 +190,10 @@ spec:
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
allowPrivilegeEscalation: false # Required to support SGID via `postdrop` executable
# in `/var/mail-state` for Postfix (maildrop + public dirs):
# https://github.com/docker-mailserver/docker-mailserver/pull/3625
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsUser: 0 runAsUser: 0
runAsGroup: 0 runAsGroup: 0

View file

@ -105,10 +105,10 @@ function _setup_save_states() {
# These two require the postdrop(103) group: # These two require the postdrop(103) group:
chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public} chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}
# After changing the group, special bits (set-gid, sticky) may be stripped, restore them: # These permissions rely on the `postdrop` binary having the SGID bit set.
# Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3149#issuecomment-1454981309 # Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3625
chmod 1730 "${STATEDIR}/spool-postfix/maildrop" chmod 730 "${STATEDIR}/spool-postfix/maildrop"
chmod 2710 "${STATEDIR}/spool-postfix/public" chmod 710 "${STATEDIR}/spool-postfix/public"
elif [[ ${ONE_DIR} -eq 1 ]]; then elif [[ ${ONE_DIR} -eq 1 ]]; then
_log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'" _log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
else else