* [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy
@ 2024-06-17 14:17 Maximiliano Sandoval
2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:17 UTC (permalink / raw)
To: pmg-devel
We use systemd's RuntimeDirectory to ensure the directory exists when needed.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
Differences from v2:
- Use systemd-sysusers for creating users
debian/pmgpolicy.service | 3 ++-
src/bin/pmgpolicy | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 517a5d6..21a403f 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -10,8 +10,9 @@ ExecStart=/usr/bin/pmgpolicy
KillMode=mixed
TimeoutStopSec=40
ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmgpolicy.pid
+PIDFile=/run/pmgpolicy/pmgpolicy.pid
Type=forking
+RuntimeDirectory=pmgpolicy
[Install]
WantedBy=multi-user.target
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index df2e66f..51a03d1 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -56,7 +56,7 @@ if (!GetOptions(%_opts)) {
exit (-1);
}
-$opt_pidfile = "/run/pmgpolicy.pid" if !$opt_pidfile;
+$opt_pidfile = "/run/pmgpolicy/pmgpolicy.pid" if !$opt_pidfile;
$opt_max_dequeue = 0 if $opt_testmode;
initlog('pmgpolicy', 'mail');
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
@ 2024-06-17 14:17 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:17 UTC (permalink / raw)
To: pmg-devel
We use systemd's RuntimeDirectory to ensure the directory exists when needed.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-smtp-filter.service | 3 ++-
src/PMG/Utils.pm | 2 +-
src/bin/pmg-smtp-filter | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index cbf2d6f..c887dc2 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -11,10 +11,11 @@ ExecStart=/usr/bin/pmg-smtp-filter
KillMode=mixed
TimeoutStopSec=40
ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmg-smtp-filter.pid
+PIDFile=/run/pmg-smtp-filter/pmg-smtp-filter.pid
Type=forking
Restart=on-abort
RestartSec=10
+RuntimeDirectory=pmg-smtp-filter
[Install]
WantedBy=multi-user.target
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index 5d9ded4..09cb42d 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -1462,7 +1462,7 @@ sub get_pg_server_version {
sub reload_smtp_filter {
- my $pid_file = '/run/pmg-smtp-filter.pid';
+ my $pid_file = '/run/pmg-smtp-filter/pmg-smtp-filter.pid';
my $pid = PVE::Tools::file_read_firstline($pid_file);
return 0 if !$pid;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 6061459..b19242a 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -80,7 +80,7 @@ if (!GetOptions(
exit (-1);
}
-$opt_pidfile = "/run/${prog_name}.pid" if !$opt_pidfile;
+$opt_pidfile = "/run/pmg-smtp-filter/${prog_name}.pid" if !$opt_pidfile;
my $max_servers = 1;
my $min_servers = 1;
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db Maximiliano Sandoval
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
src/PMG/Config.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index a0daba3..95bc57b 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1819,8 +1819,8 @@ my $pmg_service_params = {
},
};
-my $smtp_filter_cfg = '/run/pmg-smtp-filter.cfg';
-my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter.cfg.lck';
+my $smtp_filter_cfg = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg';
+my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg.lck';
sub dump_smtp_filter_config {
my ($self) = @_;
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
These users will be used by the pmg-smtp-filter and pmgpolicy. We add a
helper function to open the rule_db as a given user.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/postinst | 8 ++++++++
src/PMG/DBTools.pm | 26 ++++++++++++++++++++++++--
src/bin/pmg-smtp-filter | 4 ++--
src/bin/pmgpolicy | 6 +++---
4 files changed, 37 insertions(+), 7 deletions(-)
diff --git a/debian/postinst b/debian/postinst
index 770c944..63ed604 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -48,6 +48,10 @@ migrate_apt_auth_conf() {
fi
}
+migrate_pmg_smtp_filter() {
+ pmgdb update >/dev/null 2>&1 &
+}
+
case "$1" in
triggered)
@@ -67,6 +71,10 @@ case "$1" in
if test ! -e /proxmox_install_mode ; then
+ if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.3'; then
+ migrate_pmg_smtp_filter
+ fi
+
pmgconf="/etc/pmg/pmg.conf"
if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.0.2'; then
# on upgrade add pre 8.0 default values for advfilter, use_awl and use_bayes
diff --git a/src/PMG/DBTools.pm b/src/PMG/DBTools.pm
index 8770d06..e653d8f 100644
--- a/src/PMG/DBTools.pm
+++ b/src/PMG/DBTools.pm
@@ -38,7 +38,7 @@ sub cgreylist_merge_sql {
}
sub open_ruledb {
- my ($database, $host, $port) = @_;
+ my ($database, $host, $port, $user) = @_;
$port //= 5432;
@@ -74,13 +74,19 @@ sub open_ruledb {
return $rdb;
} else {
my $dsn = "DBI:Pg:dbname=$database;host=/var/run/postgresql;port=$port";
- my $user = $> == 0 ? 'root' : 'www-data';
+ $user //= $> == 0 ? 'root' : 'www-data';
my $dbh = DBI->connect($dsn, $user, undef, { PrintError => 0, RaiseError => 1 });
return $dbh;
}
}
+sub open_ruledb_as {
+ my ($database, $user) = @_;
+
+ open_ruledb($database, undef, undef, $user);
+}
+
sub delete_ruledb {
my ($dbname) = @_;
@@ -609,6 +615,22 @@ sub upgradedb {
}
}
+ foreach my $user ('pmgpolicy', 'pmg-smtp-filter') {
+ eval {
+ my $silent_opts = { outfunc => sub {}, errfunc => sub {} };
+ postgres_admin_cmd('createuser', $silent_opts, '-D', $user);
+
+ $dbh->begin_work;
+ $dbh->do("GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO \"$user\"");
+ $dbh->do("GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"$user\"");
+ $dbh->commit;
+
+ };
+ if (my $err = $@) {
+ $dbh->rollback;
+ }
+ }
+
foreach my $table (keys %$tables) {
eval { $dbh->do("ANALYZE $table"); };
warn $@ if $@;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index b19242a..9f46941 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -387,7 +387,7 @@ sub load_config {
PMG::MailQueue::create_spooldirs($self->{cinfo}->{local}->{cid});
eval {
- my $dbh = PMG::DBTools::open_ruledb ($database);
+ my $dbh = PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter');
$self->{ruledb} = PMG::RuleDB->new ($dbh);
# load rulecache
@@ -538,7 +538,7 @@ sub run_dequeue {
my $cinfo = PVE::INotify::read_file("cluster.conf");
- my $dbh = eval { PMG::DBTools::open_ruledb($database) };
+ my $dbh = eval { PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter') };
if ($err = $@) {
$self->log (0, "ERROR: $err");
return;
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index 51a03d1..5e5c69e 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -142,7 +142,7 @@ sub run_dequeue {
my $dbh;
eval {
- $dbh = PMG::DBTools::open_ruledb($database);
+ $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
};
my $err = $@;
@@ -343,7 +343,7 @@ sub load_config {
my $dbh;
eval {
- $dbh = PMG::DBTools::open_ruledb($database);
+ $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
$self->{ruledb} = PMG::RuleDB->new($dbh);
$self->{rulecache} = PMG::RuleCache->new($self->{ruledb});
};
@@ -523,7 +523,7 @@ sub greylist_value {
$self->log(0, 'Database connection broken - trying to reconnect');
my $dbh;
eval {
- $dbh = PMG::DBTools::open_ruledb($database);
+ $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
};
my $err = $@;
if ($err) {
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (2 preceding siblings ...)
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
A shared group named 'pmg' is introduced for processes that need to be
accessible from multiple processes like spamassassin, rrdcached or the
mail queue at /var/spool/pmg.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-api.sysusers | 1 +
debian/postinst | 4 ++++
debian/rules | 2 +-
3 files changed, 6 insertions(+), 1 deletion(-)
create mode 100644 debian/pmg-api.sysusers
diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
new file mode 100644
index 0000000..a546c45
--- /dev/null
+++ b/debian/pmg-api.sysusers
@@ -0,0 +1 @@
+g pmg - -
diff --git a/debian/postinst b/debian/postinst
index 63ed604..ebae645 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -49,6 +49,10 @@ migrate_apt_auth_conf() {
}
migrate_pmg_smtp_filter() {
+ systemd-sysusers
+
+ chown :pmg /var/lib/pmg
+
pmgdb update >/dev/null 2>&1 &
}
diff --git a/debian/rules b/debian/rules
index 3e15079..ea8f110 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ include debian/rules.env
export REPOID=${REPOID_GENERATED}
%:
- dh $@
+ dh $@ --with installsysusers
override_dh_installsystemd:
dh_installsystemd --no-start --no-stop-on-upgrade \
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (3 preceding siblings ...)
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/postinst | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/debian/postinst b/debian/postinst
index ebae645..f139e55 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,14 @@ migrate_pmg_smtp_filter() {
chown :pmg /var/lib/pmg
+ # FIXME: This is not ideal
+ if ! cat /etc/default/rrdcached | grep -q "^SOCKGROUP=pmg$"; then
+ sed -i "s/#SOCKGROUP=root/SOCKGROUP=pmg/" /etc/default/rrdcached
+ if systemctl --quiet is-active rrdcached.service ; then
+ deb-systemd-invoke reload-or-try-restart rrdcached.service >/dev/null || true
+ fi
+ fi
+
pmgdb update >/dev/null 2>&1 &
}
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (4 preceding siblings ...)
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
src/PMG/Config.pm | 8 ++++----
src/PMG/Report.pm | 2 +-
src/bin/pmg-smtp-filter | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 95bc57b..a91bb10 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1594,13 +1594,13 @@ sub rewrite_config_spam {
# delete AW and bayes databases if those features are disabled
if (!$use_awl) {
- $changes = 1 if unlink '/root/.spamassassin/auto-whitelist';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/auto-whitelist';
}
if (!$use_bayes) {
- $changes = 1 if unlink '/root/.spamassassin/bayes_journal';
- $changes = 1 if unlink '/root/.spamassassin/bayes_seen';
- $changes = 1 if unlink '/root/.spamassassin/bayes_toks';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_journal';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_seen';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_toks';
}
# make sure we have the custom SA files (else cluster sync fails)
diff --git a/src/PMG/Report.pm b/src/PMG/Report.pm
index 100a197..3512ecf 100644
--- a/src/PMG/Report.pm
+++ b/src/PMG/Report.pm
@@ -123,7 +123,7 @@ sub check_dns_resolution {
debug => 0,
local_tests_only => 0,
home_dir_for_helpers => '/root',
- userstate_dir => '/root/.spamassassin',
+ userstate_dir => '/var/lib/pmg/spamassassin',
dont_copy_prefs => 1,
stop_at_threshold => 0,
});
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 9f46941..f9499df 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -460,7 +460,7 @@ sub pre_loop_hook {
debug => 0,
local_tests_only => $opt_testmode || !$rbl_checks,
home_dir_for_helpers => '/root',
- userstate_dir => '/root/.spamassassin',
+ userstate_dir => '/var/lib/pmg/spamassassin',
dont_copy_prefs => 1,
stop_at_threshold => 0,
});
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (5 preceding siblings ...)
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/postinst | 9 +++++++++
src/PMG/MailQueue.pm | 7 ++++---
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/debian/postinst b/debian/postinst
index f139e55..8eaa114 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,15 @@ migrate_pmg_smtp_filter() {
chown :pmg /var/lib/pmg
+ chown :pmg /var/spool/pmg/active
+ chown :pmg /var/spool/pmg/virus
+ chown :pmg /var/spool/pmg/spam
+ chown :pmg /var/spool/pmg/attachment
+ chmod g+w /var/spool/pmg/active
+ chmod g+w /var/spool/pmg/virus
+ chmod g+w /var/spool/pmg/spam
+ chmod g+w /var/spool/pmg/attachment
+
# FIXME: This is not ideal
if ! cat /etc/default/rrdcached | grep -q "^SOCKGROUP=pmg$"; then
sed -i "s/#SOCKGROUP=root/SOCKGROUP=pmg/" /etc/default/rrdcached
diff --git a/src/PMG/MailQueue.pm b/src/PMG/MailQueue.pm
index 4e37cb9..adbf28c 100644
--- a/src/PMG/MailQueue.pm
+++ b/src/PMG/MailQueue.pm
@@ -33,12 +33,13 @@ sub create_spooldirs {
"$spooldir/attachment",
]) if $cleanup;
- mkpath([
+ mkpath(
"$spooldir/active",
"$spooldir/spam",
"$spooldir/virus",
"$spooldir/attachment",
- ]);
+ { group=>'pmg', chmod=>0775 },
+ );
if ($lcid) {
mkpath "$spooldir/cluster/$lcid/virus";
@@ -68,7 +69,7 @@ sub new_fileid {
my $uid;
my $subsubdir = '';
- if (!($fh = IO::File->new ($path, 'w+', 0600))) {
+ if (!($fh = IO::File->new ($path, 'w+', 0660))) {
die "unable to create file '$path': $! : ERROR";
}
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (6 preceding siblings ...)
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
The pmgpolicy user needs access to the system journals so we add it to
the systemd-journal group.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-api.sysusers | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
index a546c45..11fa19e 100644
--- a/debian/pmg-api.sysusers
+++ b/debian/pmg-api.sysusers
@@ -1 +1,6 @@
g pmg - -
+u pmg-smtp-filter - "SMTP filter user"
+u pmgpolicy - "Mail policy user"
+m pmg-smtp-filter pmg -
+m pmgpolicy pmg -
+m pmgpolicy systemd-journal -
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (7 preceding siblings ...)
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
@ 2024-06-17 14:18 ` Maximiliano Sandoval
8 siblings, 0 replies; 10+ messages in thread
From: Maximiliano Sandoval @ 2024-06-17 14:18 UTC (permalink / raw)
To: pmg-devel
New users 'pmg-smpt-filter' and 'pmgpolicy' are created for their
respective processes and we set their systemd units to use them.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-smtp-filter.service | 2 ++
debian/pmgpolicy.service | 2 ++
2 files changed, 4 insertions(+)
diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index c887dc2..c4d5e38 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -16,6 +16,8 @@ Type=forking
Restart=on-abort
RestartSec=10
RuntimeDirectory=pmg-smtp-filter
+User=pmg-smtp-filter
+Group=pmg-smtp-filter
[Install]
WantedBy=multi-user.target
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 21a403f..cd8ee60 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -13,6 +13,8 @@ ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/pmgpolicy/pmgpolicy.pid
Type=forking
RuntimeDirectory=pmgpolicy
+User=pmgpolicy
+Group=pmgpolicy
[Install]
WantedBy=multi-user.target
--
2.39.2
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2024-06-17 14:18 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-17 14:17 [pmg-devel] [PATCH pmg-api v3 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2024-06-17 14:17 ` [pmg-devel] [PATCH pmg-api v3 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 04/10] create new users for the rule db Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
2024-06-17 14:18 ` [pmg-devel] [PATCH pmg-api v3 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox