mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
fix: Drop special bits from Postfix maildrop/
and public/
directory permissions (#3625)
* update K8s deployment Because `allowPrivilegeEscalation` controls SUID/SGID, we require it when postdrop is invoked. * correct permissions for maildrop/public The reason our permissions previously worked out as that in setups where SUID/SGID worked, the binaries used to place files in these directories already have SGID set; the current set of permissions makes less sense (as explained in this comment: https://github.com/docker-mailserver/docker-mailserver/issues/3619#issuecomment-1793816412) Since the binaries used to place files inside these directories alredy have SUID/SGID set, we do not require these bits (or the sticky bit) to be set on the directories. * Apply suggestions from code review --------- Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
parent
0703e01492
commit
26214491ef
|
@ -190,7 +190,10 @@ spec:
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
|
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: false
|
# Required to support SGID via `postdrop` executable
|
||||||
|
# in `/var/mail-state` for Postfix (maildrop + public dirs):
|
||||||
|
# https://github.com/docker-mailserver/docker-mailserver/pull/3625
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
runAsGroup: 0
|
runAsGroup: 0
|
||||||
|
|
|
@ -105,10 +105,10 @@ function _setup_save_states() {
|
||||||
# These two require the postdrop(103) group:
|
# These two require the postdrop(103) group:
|
||||||
chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}
|
chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}
|
||||||
|
|
||||||
# After changing the group, special bits (set-gid, sticky) may be stripped, restore them:
|
# These permissions rely on the `postdrop` binary having the SGID bit set.
|
||||||
# Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3149#issuecomment-1454981309
|
# Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3625
|
||||||
chmod 1730 "${STATEDIR}/spool-postfix/maildrop"
|
chmod 730 "${STATEDIR}/spool-postfix/maildrop"
|
||||||
chmod 2710 "${STATEDIR}/spool-postfix/public"
|
chmod 710 "${STATEDIR}/spool-postfix/public"
|
||||||
elif [[ ${ONE_DIR} -eq 1 ]]; then
|
elif [[ ${ONE_DIR} -eq 1 ]]; then
|
||||||
_log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
|
_log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in a new issue