public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy
@ 2024-07-10 14:35 Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
                   ` (8 more replies)
  0 siblings, 9 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

We use systemd's RuntimeDirectory to ensure the directory exists when needed.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
Differences from v3:
 - Override rrdcached's systemd unit to add SOCKGROUP=pmg instead of
   modifying /etc/default/rrdcached.conf
Differences from v2:
 - Use systemd-sysusers for creating users

 debian/pmgpolicy.service | 3 ++-
 src/bin/pmgpolicy        | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 517a5d6..21a403f 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -10,8 +10,9 @@ ExecStart=/usr/bin/pmgpolicy
 KillMode=mixed
 TimeoutStopSec=40
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmgpolicy.pid
+PIDFile=/run/pmgpolicy/pmgpolicy.pid
 Type=forking
+RuntimeDirectory=pmgpolicy
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index df2e66f..51a03d1 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -56,7 +56,7 @@ if (!GetOptions(%_opts)) {
     exit (-1);
 }
 
-$opt_pidfile = "/run/pmgpolicy.pid" if !$opt_pidfile;
+$opt_pidfile = "/run/pmgpolicy/pmgpolicy.pid" if !$opt_pidfile;
 $opt_max_dequeue = 0 if $opt_testmode;
 
 initlog('pmgpolicy', 'mail');
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-12  9:54   ` Fiona Ebner
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
                   ` (7 subsequent siblings)
  8 siblings, 1 reply; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

We use systemd's RuntimeDirectory to ensure the directory exists when needed.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-smtp-filter.service | 3 ++-
 src/PMG/Utils.pm               | 2 +-
 src/bin/pmg-smtp-filter        | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index cbf2d6f..c887dc2 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -11,10 +11,11 @@ ExecStart=/usr/bin/pmg-smtp-filter
 KillMode=mixed
 TimeoutStopSec=40
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmg-smtp-filter.pid
+PIDFile=/run/pmg-smtp-filter/pmg-smtp-filter.pid
 Type=forking
 Restart=on-abort
 RestartSec=10
+RuntimeDirectory=pmg-smtp-filter
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index 5d9ded4..09cb42d 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -1462,7 +1462,7 @@ sub get_pg_server_version {
 
 sub reload_smtp_filter {
 
-    my $pid_file = '/run/pmg-smtp-filter.pid';
+    my $pid_file = '/run/pmg-smtp-filter/pmg-smtp-filter.pid';
     my $pid = PVE::Tools::file_read_firstline($pid_file);
 
     return 0 if !$pid;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 6061459..b19242a 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -80,7 +80,7 @@ if (!GetOptions(
     exit (-1);
 }
 
-$opt_pidfile = "/run/${prog_name}.pid" if !$opt_pidfile;
+$opt_pidfile = "/run/pmg-smtp-filter/${prog_name}.pid" if !$opt_pidfile;
 
 my $max_servers = 1;
 my $min_servers = 1;
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 03/10] config: store config lock in smtp-filter runtime dir
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 04/10] create new users for the rule db Maximiliano Sandoval
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PMG/Config.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index a0daba3..95bc57b 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1819,8 +1819,8 @@ my $pmg_service_params = {
     },
 };
 
-my $smtp_filter_cfg = '/run/pmg-smtp-filter.cfg';
-my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter.cfg.lck';
+my $smtp_filter_cfg = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg';
+my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg.lck';
 
 sub dump_smtp_filter_config {
     my ($self) = @_;
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 04/10] create new users for the rule db
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

These users will be used by the pmg-smtp-filter and pmgpolicy. We add a
helper function to open the rule_db as a given user.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/postinst         |  8 ++++++++
 src/PMG/DBTools.pm      | 26 ++++++++++++++++++++++++--
 src/bin/pmg-smtp-filter |  4 ++--
 src/bin/pmgpolicy       |  6 +++---
 4 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/debian/postinst b/debian/postinst
index 770c944..63ed604 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -48,6 +48,10 @@ migrate_apt_auth_conf() {
     fi
 }
 
+migrate_pmg_smtp_filter() {
+    pmgdb update >/dev/null 2>&1 &
+}
+
 case "$1" in
     triggered)
 
@@ -67,6 +71,10 @@ case "$1" in
 
         if test ! -e /proxmox_install_mode ; then
 
+            if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.3'; then
+                migrate_pmg_smtp_filter
+            fi
+
             pmgconf="/etc/pmg/pmg.conf"
             if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.0.2'; then
                 # on upgrade add pre 8.0 default values for advfilter, use_awl and use_bayes
diff --git a/src/PMG/DBTools.pm b/src/PMG/DBTools.pm
index 8770d06..e653d8f 100644
--- a/src/PMG/DBTools.pm
+++ b/src/PMG/DBTools.pm
@@ -38,7 +38,7 @@ sub cgreylist_merge_sql {
 }
 
 sub open_ruledb {
-    my ($database, $host, $port) = @_;
+    my ($database, $host, $port, $user) = @_;
 
     $port //= 5432;
 
@@ -74,13 +74,19 @@ sub open_ruledb {
 	return $rdb;
     } else {
 	my $dsn = "DBI:Pg:dbname=$database;host=/var/run/postgresql;port=$port";
-	my $user = $> == 0 ? 'root' : 'www-data';
+	$user //= $> == 0 ? 'root' : 'www-data';
 	my $dbh = DBI->connect($dsn, $user, undef, { PrintError => 0, RaiseError => 1 });
 
 	return $dbh;
     }
 }
 
+sub open_ruledb_as {
+    my ($database, $user) = @_;
+
+    open_ruledb($database, undef, undef, $user);
+}
+
 sub delete_ruledb {
     my ($dbname) = @_;
 
@@ -609,6 +615,22 @@ sub upgradedb {
 	}
     }
 
+    foreach my $user ('pmgpolicy', 'pmg-smtp-filter') {
+	eval {
+	    my $silent_opts = { outfunc => sub {}, errfunc => sub {} };
+	    postgres_admin_cmd('createuser',  $silent_opts, '-D', $user);
+
+	    $dbh->begin_work;
+	    $dbh->do("GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO \"$user\"");
+	    $dbh->do("GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"$user\"");
+	    $dbh->commit;
+
+	};
+	if (my $err = $@) {
+	    $dbh->rollback;
+	}
+    }
+
     foreach my $table (keys %$tables) {
 	eval { $dbh->do("ANALYZE $table"); };
 	warn $@ if $@;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index b19242a..9f46941 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -387,7 +387,7 @@ sub load_config {
     PMG::MailQueue::create_spooldirs($self->{cinfo}->{local}->{cid});
 
     eval {
-	my $dbh = PMG::DBTools::open_ruledb ($database);
+	my $dbh = PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter');
 	$self->{ruledb} = PMG::RuleDB->new ($dbh);
 
 	# load rulecache
@@ -538,7 +538,7 @@ sub run_dequeue {
 
     my $cinfo = PVE::INotify::read_file("cluster.conf");
 
-    my $dbh = eval { PMG::DBTools::open_ruledb($database) };
+    my $dbh = eval { PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter') };
     if ($err = $@) {
 	$self->log (0, "ERROR: $err");
 	return;
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index 51a03d1..5e5c69e 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -142,7 +142,7 @@ sub run_dequeue {
     my $dbh;
 
     eval {
-	$dbh = PMG::DBTools::open_ruledb($database);
+	$dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
     };
     my $err = $@;
 
@@ -343,7 +343,7 @@ sub load_config {
     my $dbh;
 
     eval {
-	$dbh = PMG::DBTools::open_ruledb($database);
+	$dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
 	$self->{ruledb} = PMG::RuleDB->new($dbh);
 	$self->{rulecache} = PMG::RuleCache->new($self->{ruledb});
     };
@@ -523,7 +523,7 @@ sub greylist_value {
 	$self->log(0, 'Database connection broken - trying to reconnect');
 	my $dbh;
 	eval {
-	    $dbh = PMG::DBTools::open_ruledb($database);
+	    $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
 	};
 	my $err = $@;
 	if ($err) {
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 05/10] postinstall: add new group for shared functionality
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (2 preceding siblings ...)
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 04/10] create new users for the rule db Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

A shared group named 'pmg' is introduced for processes that need to be
accessible from multiple processes like spamassassin, rrdcached or the
mail queue at /var/spool/pmg.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-api.sysusers | 1 +
 debian/postinst         | 4 ++++
 debian/rules            | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 debian/pmg-api.sysusers

diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
new file mode 100644
index 0000000..a546c45
--- /dev/null
+++ b/debian/pmg-api.sysusers
@@ -0,0 +1 @@
+g pmg             -               -
diff --git a/debian/postinst b/debian/postinst
index 63ed604..ebae645 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -49,6 +49,10 @@ migrate_apt_auth_conf() {
 }
 
 migrate_pmg_smtp_filter() {
+    systemd-sysusers
+
+    chown :pmg /var/lib/pmg
+
     pmgdb update >/dev/null 2>&1 &
 }
 
diff --git a/debian/rules b/debian/rules
index 3e15079..ea8f110 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ include debian/rules.env
 export REPOID=${REPOID_GENERATED}
 
 %:
-	dh $@
+	dh $@ --with installsysusers
 
 override_dh_installsystemd:
 	dh_installsystemd --no-start --no-stop-on-upgrade \
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 06/10] postinstall: make rrdcached be readable by the pmg group
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (3 preceding siblings ...)
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/install                  | 1 +
 debian/postinst                 | 5 +++++
 debian/rrdcached-sockgroup.conf | 2 ++
 3 files changed, 8 insertions(+)
 create mode 100644 debian/rrdcached-sockgroup.conf

diff --git a/debian/install b/debian/install
index 35882f8..491dfdf 100644
--- a/debian/install
+++ b/debian/install
@@ -11,3 +11,4 @@ debian/pmgreport.service /lib/systemd/system/
 debian/pmgspamreport.service /lib/systemd/system/
 debian/pmgsync.service /lib/systemd/system/
 debian/pmgtunnel.service /lib/systemd/system/
+debian/rrdcached-sockgroup.conf /lib/systemd/system/rrdcached.service.d/
diff --git a/debian/postinst b/debian/postinst
index ebae645..998f7a3 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,11 @@ migrate_pmg_smtp_filter() {
 
     chown :pmg /var/lib/pmg
 
+    if systemctl --quiet is-active rrdcached.service ; then
+        systemctl daemon-reload
+        deb-systemd-invoke reload-or-try-restart rrdcached.service >/dev/null || true
+    fi
+
     pmgdb update >/dev/null 2>&1 &
 }
 
diff --git a/debian/rrdcached-sockgroup.conf b/debian/rrdcached-sockgroup.conf
new file mode 100644
index 0000000..bee76ac
--- /dev/null
+++ b/debian/rrdcached-sockgroup.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment=SOCKGROUP=pmg
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 07/10] spamasassin: store files in dir managed by pmg
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (4 preceding siblings ...)
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PMG/Config.pm       | 8 ++++----
 src/PMG/Report.pm       | 2 +-
 src/bin/pmg-smtp-filter | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 95bc57b..a91bb10 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1594,13 +1594,13 @@ sub rewrite_config_spam {
 
     # delete AW and bayes databases if those features are disabled
     if (!$use_awl) {
-	$changes = 1 if unlink '/root/.spamassassin/auto-whitelist';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/auto-whitelist';
     }
 
     if (!$use_bayes) {
-	$changes = 1 if unlink '/root/.spamassassin/bayes_journal';
-	$changes = 1 if unlink '/root/.spamassassin/bayes_seen';
-	$changes = 1 if unlink '/root/.spamassassin/bayes_toks';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_journal';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_seen';
+	$changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_toks';
     }
 
     # make sure we have the custom SA files (else cluster sync fails)
diff --git a/src/PMG/Report.pm b/src/PMG/Report.pm
index 100a197..3512ecf 100644
--- a/src/PMG/Report.pm
+++ b/src/PMG/Report.pm
@@ -123,7 +123,7 @@ sub check_dns_resolution {
 	debug => 0,
 	local_tests_only => 0,
 	home_dir_for_helpers => '/root',
-	userstate_dir => '/root/.spamassassin',
+	userstate_dir => '/var/lib/pmg/spamassassin',
 	dont_copy_prefs   => 1,
 	stop_at_threshold => 0,
     });
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 9f46941..f9499df 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -460,7 +460,7 @@ sub pre_loop_hook {
 	debug => 0,
 	local_tests_only => $opt_testmode || !$rbl_checks,
 	home_dir_for_helpers => '/root',
-	userstate_dir => '/root/.spamassassin',
+	userstate_dir => '/var/lib/pmg/spamassassin',
 	dont_copy_prefs   => 1,
 	stop_at_threshold => 0,
     });
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 08/10] mailqueue: make mail queue writable by pmg group
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (5 preceding siblings ...)
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/postinst      | 9 +++++++++
 src/PMG/MailQueue.pm | 7 ++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/debian/postinst b/debian/postinst
index 998f7a3..905d850 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,15 @@ migrate_pmg_smtp_filter() {
 
     chown :pmg /var/lib/pmg
 
+    chown :pmg /var/spool/pmg/active
+    chown :pmg /var/spool/pmg/virus
+    chown :pmg /var/spool/pmg/spam
+    chown :pmg /var/spool/pmg/attachment
+    chmod g+w /var/spool/pmg/active
+    chmod g+w /var/spool/pmg/virus
+    chmod g+w /var/spool/pmg/spam
+    chmod g+w /var/spool/pmg/attachment
+
     if systemctl --quiet is-active rrdcached.service ; then
         systemctl daemon-reload
         deb-systemd-invoke reload-or-try-restart rrdcached.service >/dev/null || true
diff --git a/src/PMG/MailQueue.pm b/src/PMG/MailQueue.pm
index 4e37cb9..adbf28c 100644
--- a/src/PMG/MailQueue.pm
+++ b/src/PMG/MailQueue.pm
@@ -33,12 +33,13 @@ sub create_spooldirs {
 	"$spooldir/attachment",
     ]) if $cleanup;
 
-    mkpath([
+    mkpath(
 	"$spooldir/active",
 	"$spooldir/spam",
 	"$spooldir/virus",
 	"$spooldir/attachment",
-    ]);
+	{ group=>'pmg', chmod=>0775 },
+    );
 
     if ($lcid) {
 	mkpath "$spooldir/cluster/$lcid/virus";
@@ -68,7 +69,7 @@ sub new_fileid {
     my $uid;
     my $subsubdir = '';
 
-    if (!($fh = IO::File->new ($path, 'w+', 0600))) {
+    if (!($fh = IO::File->new ($path, 'w+', 0660))) {
 	die "unable to create file '$path': $! : ERROR";
     }
 
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 09/10] d/sysusers: add users for pmgpolicy and smtp-filter
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (6 preceding siblings ...)
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

The pmgpolicy user needs access to the system journals so we add it to
the systemd-journal group.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-api.sysusers | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
index a546c45..11fa19e 100644
--- a/debian/pmg-api.sysusers
+++ b/debian/pmg-api.sysusers
@@ -1 +1,6 @@
 g pmg             -               -
+u pmg-smtp-filter -               "SMTP filter user"
+u pmgpolicy       -               "Mail policy user"
+m pmg-smtp-filter pmg             -
+m pmgpolicy       pmg             -
+m pmgpolicy       systemd-journal -
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [pmg-devel] [PATCH api v4 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights
  2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
                   ` (7 preceding siblings ...)
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
@ 2024-07-10 14:35 ` Maximiliano Sandoval
  8 siblings, 0 replies; 12+ messages in thread
From: Maximiliano Sandoval @ 2024-07-10 14:35 UTC (permalink / raw)
  To: pmg-devel

New users 'pmg-smpt-filter' and 'pmgpolicy' are created for their
respective processes and we set their systemd units to use them.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 debian/pmg-smtp-filter.service | 2 ++
 debian/pmgpolicy.service       | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index c887dc2..c4d5e38 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -16,6 +16,8 @@ Type=forking
 Restart=on-abort
 RestartSec=10
 RuntimeDirectory=pmg-smtp-filter
+User=pmg-smtp-filter
+Group=pmg-smtp-filter
 
 [Install]
 WantedBy=multi-user.target
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 21a403f..cd8ee60 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -13,6 +13,8 @@ ExecReload=/bin/kill -HUP $MAINPID
 PIDFile=/run/pmgpolicy/pmgpolicy.pid
 Type=forking
 RuntimeDirectory=pmgpolicy
+User=pmgpolicy
+Group=pmgpolicy
 
 [Install]
 WantedBy=multi-user.target
-- 
2.39.2



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter
  2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
@ 2024-07-12  9:54   ` Fiona Ebner
       [not found]     ` <s8ottgq2784.fsf@proxmox.com>
  0 siblings, 1 reply; 12+ messages in thread
From: Fiona Ebner @ 2024-07-12  9:54 UTC (permalink / raw)
  To: Maximiliano Sandoval, pmg-devel

Am 10.07.24 um 16:35 schrieb Maximiliano Sandoval:
> diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
> index 5d9ded4..09cb42d 100644
> --- a/src/PMG/Utils.pm
> +++ b/src/PMG/Utils.pm
> @@ -1462,7 +1462,7 @@ sub get_pg_server_version {
>  
>  sub reload_smtp_filter {
>  
> -    my $pid_file = '/run/pmg-smtp-filter.pid';
> +    my $pid_file = '/run/pmg-smtp-filter/pmg-smtp-filter.pid';
>      my $pid = PVE::Tools::file_read_firstline($pid_file);
>  
>      return 0 if !$pid;

Can there be a race here during/after update? I.e. service still running
with PID file in old path and reload_smtp_filter() is called only
checking the new path. Does something ensure this can't happen?
Otherwise, I suppose we'll need to check the old path too until the next
major release.

And what about the other way around, i.e. service already running with
PID file in new path and old version of reload_smtp_filter() called
still checking the old path?


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter
       [not found]     ` <s8ottgq2784.fsf@proxmox.com>
@ 2024-07-16  9:14       ` Fiona Ebner
  0 siblings, 0 replies; 12+ messages in thread
From: Fiona Ebner @ 2024-07-16  9:14 UTC (permalink / raw)
  To: Maximiliano Sandoval, pmg-devel

CC-ing pmg-devel again

Am 15.07.24 um 14:02 schrieb Maximiliano Sandoval:
> Fiona Ebner <f.ebner@proxmox.com> writes:
> 
>> Am 10.07.24 um 16:35 schrieb Maximiliano Sandoval:
>>> diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
>>> index 5d9ded4..09cb42d 100644
>>> --- a/src/PMG/Utils.pm
>>> +++ b/src/PMG/Utils.pm
>>> @@ -1462,7 +1462,7 @@ sub get_pg_server_version {
>>>  
>>>  sub reload_smtp_filter {
>>>  
>>> -    my $pid_file = '/run/pmg-smtp-filter.pid';
>>> +    my $pid_file = '/run/pmg-smtp-filter/pmg-smtp-filter.pid';
>>>      my $pid = PVE::Tools::file_read_firstline($pid_file);
>>>  
>>>      return 0 if !$pid;
>>
>> Can there be a race here during/after update? I.e. service still running
>> with PID file in old path and reload_smtp_filter() is called only
>> checking the new path. Does something ensure this can't happen?
>> Otherwise, I suppose we'll need to check the old path too until the next
>> major release.
>>
>> And what about the other way around, i.e. service already running with
>> PID file in new path and old version of reload_smtp_filter() called
>> still checking the old path?
> 
> I am not entirely sure to be honest. Every service will be restarted
> after the install so at most there could be races during the install
> process.
> 

But the src/PMG/Utils.pm file is used by other services too, right?  And
it seems likely that reload_smtp_filter() can be reached by those, e.g.
one caller is PMG/Config.pm's rewrite_config().

> I am not sure how this is handled in perl, but my understanding is that
> the file is in memory until the service is restarted in which case I
> don't think there should be any race in this window either.
> 


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2024-07-16  9:15 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-10 14:35 [pmg-devel] [PATCH api v4 01/10] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 02/10] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
2024-07-12  9:54   ` Fiona Ebner
     [not found]     ` <s8ottgq2784.fsf@proxmox.com>
2024-07-16  9:14       ` Fiona Ebner
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 03/10] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 04/10] create new users for the rule db Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 05/10] postinstall: add new group for shared functionality Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 06/10] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 07/10] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 08/10] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 09/10] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
2024-07-10 14:35 ` [pmg-devel] [PATCH api v4 10/10] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal