public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy
@ 2024-06-17 14:17 Maximiliano Sandoval
  2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:17 UTC (permalink / raw)
  To: pmg-devel

We use systemd's RuntimeDirectory to ensure the directory exists when needed.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
Differences from v2:
- Use systemd-sysusers for creating users

 debian/pmgpolicy.service | 3 ++-
 src/bin/pmgpolicy        | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 517a5d6..21a403f 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -10,8 +10,9 @@ ExecStart=/usr/bin/pmgpolicy
 KillMode=mixed
 TimeoutStopSec=40
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmgpolicy.pid
+PIDFile=/run/pmgpolicy/pmgpolicy.pid
 Type=forking
+RuntimeDirectory=pmgpolicy
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index df2e66f..51a03d1 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -56,7 +56,7 @@ if (!GetOptions(%_opts)) {
     exit (-1);
 }
 
-$opt_pidfile = "/run/pmgpolicy.pid" if !$opt_pidfile;
+$opt_pidfile = "/run/pmgpolicy/pmgpolicy.pid" if !$opt_pidfile;
 $opt_max_dequeue = 0 if $opt_testmode;
 
 initlog('pmgpolicy', 'mail');
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
@ 2024-06-17 14:17 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:17 UTC (permalink / raw)
  To: pmg-devel

We use systemd's RuntimeDirectory to ensure the directory exists when needed.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-smtp-filter.service | 3 ++-
 src/PMG/Utils.pm               | 2 +-
 src/bin/pmg-smtp-filter        | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index cbf2d6f..c887dc2 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -11,10 +11,11 @@ ExecStart=/usr/bin/pmg-smtp-filter
 KillMode=mixed
 TimeoutStopSec=40
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmg-smtp-filter.pid
+PIDFile=/run/pmg-smtp-filter/pmg-smtp-filter.pid
 Type=forking
 Restart=on-abort
 RestartSec=10
+RuntimeDirectory=pmg-smtp-filter
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index 5d9ded4..09cb42d 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -1462,7 +1462,7 @@ sub get_pg_server_version {
 
 sub reload_smtp_filter {
 
-    my $pid_file = '/run/pmg-smtp-filter.pid';
+    my $pid_file = '/run/pmg-smtp-filter/pmg-smtp-filter.pid';
     my $pid = PVE::Tools::file_read_firstline($pid_file);
 
     return 0 if !$pid;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 6061459..b19242a 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -80,7 +80,7 @@ if (!GetOptions(
     exit (-1);
 }
 
-$opt_pidfile = "/run/${prog_name}.pid" if !$opt_pidfile;
+$opt_pidfile = "/run/pmg-smtp-filter/${prog_name}.pid" if !$opt_pidfile;
 
 my $max_servers = 1;
 my $min_servers = 1;
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
  2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db Maximiliano Sandoval
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PMG/Config.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index a0daba3..95bc57b 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1819,8 +1819,8 @@ my $pmg_service_params = {
     },
 };
 
-my $smtp_filter_cfg = '/run/pmg-smtp-filter.cfg';
-my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter.cfg.lck';
+my $smtp_filter_cfg = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg';
+my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg.lck';
 
 sub dump_smtp_filter_config {
     my ($self) = @_;
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
  2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

These users will be used by the pmg-smtp-filter and pmgpolicy. We add a
helper function to open the rule_db as a given user.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/postinst         |  8 ++++++++
 src/PMG/DBTools.pm      | 26 ++++++++++++++++++++++++--
 src/bin/pmg-smtp-filter |  4 ++--
 src/bin/pmgpolicy       |  6 +++---
 4 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/debian/postinst b/debian/postinst
index 770c944..63ed604 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -48,6 +48,10 @@ migrate_apt_auth_conf() {
     fi
 }
 
+migrate_pmg_smtp_filter() {
+    pmgdb update >/dev/null 2>&1 &
+}
+
 case "$1" in
     triggered)
 
@@ -67,6 +71,10 @@ case "$1" in
 
         if test ! -e /proxmox_install_mode ; then
 
+            if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.3'; then
+                migrate_pmg_smtp_filter
+            fi
+
             pmgconf="/etc/pmg/pmg.conf"
             if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.0.2'; then
                 # on upgrade add pre 8.0 default values for advfilter, use_awl and use_bayes
diff --git a/src/PMG/DBTools.pm b/src/PMG/DBTools.pm
index 8770d06..e653d8f 100644
--- a/src/PMG/DBTools.pm
+++ b/src/PMG/DBTools.pm
@@ -38,7 +38,7 @@ sub cgreylist_merge_sql {
 }
 
 sub open_ruledb {
-    my ($database, $host, $port) = @_;
+    my ($database, $host, $port, $user) = @_;
 
     $port //= 5432;
 
@@ -74,13 +74,19 @@ sub open_ruledb {
 	return $rdb;
     } else {
 	my $dsn = "DBI:Pg:dbname=$database;host=/var/run/postgresql;port=$port";
-	my $user = $> == 0 ? 'root' : 'www-data';
+	$user //= $> == 0 ? 'root' : 'www-data';
 	my $dbh = DBI->connect($dsn, $user, undef, { PrintError => 0, RaiseError => 1 });
 
 	return $dbh;
     }
 }
 
+sub open_ruledb_as {
+    my ($database, $user) = @_;
+
+    open_ruledb($database, undef, undef, $user);
+}
+
 sub delete_ruledb {
     my ($dbname) = @_;
 
@@ -609,6 +615,22 @@ sub upgradedb {
 	}
     }
 
+    foreach my $user ('pmgpolicy', 'pmg-smtp-filter') {
+	eval {
+	    my $silent_opts = { outfunc => sub {}, errfunc => sub {} };
+	    postgres_admin_cmd('createuser',  $silent_opts, '-D', $user);
+
+	    $dbh->begin_work;
+	    $dbh->do("GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO \"$user\"");
+	    $dbh->do("GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"$user\"");
+	    $dbh->commit;
+
+	};
+	if (my $err = $@) {
+	    $dbh->rollback;
+	}
+    }
+
     foreach my $table (keys %$tables) {
 	eval { $dbh->do("ANALYZE $table"); };
 	warn $@ if $@;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index b19242a..9f46941 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -387,7 +387,7 @@ sub load_config {
     PMG::MailQueue::create_spooldirs($self->{cinfo}->{local}->{cid});
 
     eval {
-	my $dbh = PMG::DBTools::open_ruledb ($database);
+	my $dbh = PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter');
 	$self->{ruledb} = PMG::RuleDB->new ($dbh);
 
 	# load rulecache
@@ -538,7 +538,7 @@ sub run_dequeue {
 
     my $cinfo = PVE::INotify::read_file("cluster.conf");
 
-    my $dbh = eval { PMG::DBTools::open_ruledb($database) };
+    my $dbh = eval { PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter') };
     if ($err = $@) {
 	$self->log (0, "ERROR: $err");
 	return;
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index 51a03d1..5e5c69e 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -142,7 +142,7 @@ sub run_dequeue {
     my $dbh;
 
     eval {
-	$dbh = PMG::DBTools::open_ruledb($database);
+	$dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
     };
     my $err = $@;
 
@@ -343,7 +343,7 @@ sub load_config {
     my $dbh;
 
     eval {
-	$dbh = PMG::DBTools::open_ruledb($database);
+	$dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
 	$self->{ruledb} = PMG::RuleDB->new($dbh);
 	$self->{rulecache} = PMG::RuleCache->new($self->{ruledb});
     };
@@ -523,7 +523,7 @@ sub greylist_value {
 	$self->log(0, 'Database connection broken - trying to reconnect');
 	my $dbh;
 	eval {
-	    $dbh = PMG::DBTools::open_ruledb($database);
+	    $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
 	};
 	my $err = $@;
 	if ($err) {
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (2 preceding siblings ...)
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

A shared group named 'pmg' is introduced for processes that need to be
accessible from multiple processes like spamassassin, rrdcached or the
mail queue at /var/spool/pmg.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-api.sysusers | 1 +
 debian/postinst         | 4 ++++
 debian/rules            | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 debian/pmg-api.sysusers

diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
new file mode 100644
index 0000000..a546c45
--- /dev/null
+++ b/debian/pmg-api.sysusers
@@ -0,0 +1 @@
+g pmg             -               -
diff --git a/debian/postinst b/debian/postinst
index 63ed604..ebae645 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -49,6 +49,10 @@ migrate_apt_auth_conf() {
 }
 
 migrate_pmg_smtp_filter() {
+    systemd-sysusers
+
+    chown :pmg /var/lib/pmg
+
     pmgdb update >/dev/null 2>&1 &
 }
 
diff --git a/debian/rules b/debian/rules
index 3e15079..ea8f110 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ include debian/rules.env
 export REPOID=${REPOID_GENERATED}
 
 %:
-	dh $@
+	dh $@ --with installsysusers
 
 override_dh_installsystemd:
 	dh_installsystemd --no-start --no-stop-on-upgrade \
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (3 preceding siblings ...)
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/postinst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/debian/postinst b/debian/postinst
index ebae645..f139e55 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,14 @@ migrate_pmg_smtp_filter() {
 
     chown :pmg /var/lib/pmg
 
+    # FIXME: This is not ideal
+    if ! cat /etc/default/rrdcached | grep -q "^SOCKGROUP=pmg$"; then
+        sed -i "s/#SOCKGROUP=root/SOCKGROUP=pmg/" /etc/default/rrdcached
+        if systemctl --quiet is-active rrdcached.service ; then
+            deb-systemd-invoke reload-or-try-restart rrdcached.service >/dev/null || true
+        fi
+    fi
+
     pmgdb update >/dev/null 2>&1 &
 }
 
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (4 preceding siblings ...)
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PMG/Config.pm       | 8 ++++----
 src/PMG/Report.pm       | 2 +-
 src/bin/pmg-smtp-filter | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 95bc57b..a91bb10 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1594,13 +1594,13 @@ sub rewrite_config_spam {
 
     # delete AW and bayes databases if those features are disabled
     if (!$use_awl) {
-	$changes = 1 if unlink '/root/.spamassassin/auto-whitelist';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/auto-whitelist';
     }
 
     if (!$use_bayes) {
-	$changes = 1 if unlink '/root/.spamassassin/bayes_journal';
-	$changes = 1 if unlink '/root/.spamassassin/bayes_seen';
-	$changes = 1 if unlink '/root/.spamassassin/bayes_toks';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_journal';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_seen';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_toks';
     }
 
     # make sure we have the custom SA files (else cluster sync fails)
diff --git a/src/PMG/Report.pm b/src/PMG/Report.pm
index 100a197..3512ecf 100644
--- a/src/PMG/Report.pm
+++ b/src/PMG/Report.pm
@@ -123,7 +123,7 @@ sub check_dns_resolution {
 	debug => 0,
 	local_tests_only => 0,
 	home_dir_for_helpers => '/root',
-	userstate_dir => '/root/.spamassassin',
+	userstate_dir => '/var/lib/pmg/spamassassin',
 	dont_copy_prefs   => 1,
 	stop_at_threshold => 0,
     });
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 9f46941..f9499df 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -460,7 +460,7 @@ sub pre_loop_hook {
 	debug => 0,
 	local_tests_only => $opt_testmode || !$rbl_checks,
 	home_dir_for_helpers => '/root',
-	userstate_dir => '/root/.spamassassin',
+	userstate_dir => '/var/lib/pmg/spamassassin',
 	dont_copy_prefs   => 1,
 	stop_at_threshold => 0,
     });
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (5 preceding siblings ...)
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/postinst      | 9 +++++++++
 src/PMG/MailQueue.pm | 7 ++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/debian/postinst b/debian/postinst
index f139e55..8eaa114 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,15 @@ migrate_pmg_smtp_filter() {
 
     chown :pmg /var/lib/pmg
 
+    chown :pmg /var/spool/pmg/active
+    chown :pmg /var/spool/pmg/virus
+    chown :pmg /var/spool/pmg/spam
+    chown :pmg /var/spool/pmg/attachment
+    chmod g+w /var/spool/pmg/active
+    chmod g+w /var/spool/pmg/virus
+    chmod g+w /var/spool/pmg/spam
+    chmod g+w /var/spool/pmg/attachment
+
     # FIXME: This is not ideal
     if ! cat /etc/default/rrdcached | grep -q "^SOCKGROUP=pmg$"; then
         sed -i "s/#SOCKGROUP=root/SOCKGROUP=pmg/" /etc/default/rrdcached
diff --git a/src/PMG/MailQueue.pm b/src/PMG/MailQueue.pm
index 4e37cb9..adbf28c 100644
--- a/src/PMG/MailQueue.pm
+++ b/src/PMG/MailQueue.pm
@@ -33,12 +33,13 @@ sub create_spooldirs {
 	"$spooldir/attachment",
     ]) if $cleanup;
 
-    mkpath([
+    mkpath(
 	"$spooldir/active",
 	"$spooldir/spam",
 	"$spooldir/virus",
 	"$spooldir/attachment",
-    ]);
+	{ group=>'pmg', chmod=>0775 },
+    );
 
     if ($lcid) {
 	mkpath "$spooldir/cluster/$lcid/virus";
@@ -68,7 +69,7 @@ sub new_fileid {
     my $uid;
     my $subsubdir = '';
 
-    if (!($fh = IO::File->new ($path, 'w+', 0600))) {
+    if (!($fh = IO::File->new ($path, 'w+', 0660))) {
 	die "unable to create file '$path': $! : ERROR";
     }
 
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (6 preceding siblings ...)
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

The pmgpolicy user needs access to the system journals so we add it to
the systemd-journal group.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-api.sysusers | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
index a546c45..11fa19e 100644
--- a/debian/pmg-api.sysusers
+++ b/debian/pmg-api.sysusers
@@ -1 +1,6 @@
 g pmg             -               -
+u pmg-smtp-filter -               "SMTP filter user"
+u pmgpolicy       -               "Mail policy user"
+m pmg-smtp-filter pmg             -
+m pmgpolicy       pmg             -
+m pmgpolicy       systemd-journal -
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights
  2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (7 preceding siblings ...)
  2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
  8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
  To: pmg-devel

New users 'pmg-smpt-filter' and 'pmgpolicy' are created for their
respective processes and we set their systemd units to use them.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-smtp-filter.service | 2 ++
 debian/pmgpolicy.service       | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index c887dc2..c4d5e38 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -16,6 +16,8 @@ Type=forking
 Restart=on-abort
 RestartSec=10
 RuntimeDirectory=pmg-smtp-filter
+User=pmg-smtp-filter
+Group=pmg-smtp-filter
 
 [Install]
 WantedBy=multi-user.target
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 21a403f..cd8ee60 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -13,6 +13,8 @@ ExecReload=/bin/kill -HUP $MAINPID
 PIDFile=/run/pmgpolicy/pmgpolicy.pid
 Type=forking
 RuntimeDirectory=pmgpolicy
+User=pmgpolicy
+Group=pmgpolicy
 
 [Install]
 WantedBy=multi-user.target
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2024-06-17 14:18 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal