* [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy
@ 2025-04-04 13:14 Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 02/11] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
We use systemd's RuntimeDirectory to ensure the directory exists when needed.
We also set $opt_pidfile using PIDFILE, see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#%24PIDFILE.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
Differences from v4:
- Run pmg-smtp-filter migration if coming from a version older than 9.0.0.
- Instead of adding the pmgpolicy user to the pmg group, pmgproxy.service is
started with SupplementaryGroups=systemd-journal
- Use $ENV{'PIDFILE'} instead of hardcoding PID path on binaries backed up
with a systemd service
Differences from v3:
- Override rrdcached's systemd unit to add SOCKGROUP=pmg instead of
modifying /etc/default/rrdcached.conf
Differences from v2:
- Use systemd-sysusers for creating users
debian/pmgpolicy.service | 3 ++-
src/bin/pmgpolicy | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 517a5d61..21a403f0 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -10,8 +10,9 @@ ExecStart=/usr/bin/pmgpolicy
KillMode=mixed
TimeoutStopSec=40
ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmgpolicy.pid
+PIDFile=/run/pmgpolicy/pmgpolicy.pid
Type=forking
+RuntimeDirectory=pmgpolicy
[Install]
WantedBy=multi-user.target
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index df2e66f4..3f976ff7 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -56,7 +56,7 @@ if (!GetOptions(%_opts)) {
exit (-1);
}
-$opt_pidfile = "/run/pmgpolicy.pid" if !$opt_pidfile;
+$opt_pidfile = $ENV{'PIDFILE'} if !$opt_pidfile;
$opt_max_dequeue = 0 if $opt_testmode;
initlog('pmgpolicy', 'mail');
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 02/11] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 03/11] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
We use systemd's RuntimeDirectory to ensure the directory exists when needed.
We also set $opt_pidfile using PIDFILE, see
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#%24PIDFILE.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-smtp-filter.service | 3 ++-
src/PMG/Utils.pm | 2 +-
src/bin/pmg-smtp-filter | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index cbf2d6f3..c887dc2d 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -11,10 +11,11 @@ ExecStart=/usr/bin/pmg-smtp-filter
KillMode=mixed
TimeoutStopSec=40
ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/run/pmg-smtp-filter.pid
+PIDFile=/run/pmg-smtp-filter/pmg-smtp-filter.pid
Type=forking
Restart=on-abort
RestartSec=10
+RuntimeDirectory=pmg-smtp-filter
[Install]
WantedBy=multi-user.target
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index 3e7adbb6..07a6c9be 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -1515,7 +1515,7 @@ sub get_pg_server_version {
sub reload_smtp_filter {
- my $pid_file = '/run/pmg-smtp-filter.pid';
+ my $pid_file = '/run/pmg-smtp-filter/pmg-smtp-filter.pid';
my $pid = PVE::Tools::file_read_firstline($pid_file);
return 0 if !$pid;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 32bad7b8..fcaaffc5 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -80,7 +80,7 @@ if (!GetOptions(
exit (-1);
}
-$opt_pidfile = "/run/${prog_name}.pid" if !$opt_pidfile;
+$opt_pidfile = $ENV{'PIDFILE'} if !$opt_pidfile;
my $max_servers = 1;
my $min_servers = 1;
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 03/11] config: store config lock in smtp-filter runtime dir
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 02/11] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 04/11] create new users for the rule db Maximiliano Sandoval
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
src/PMG/Config.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 82bd42ec..754cc791 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1827,8 +1827,8 @@ my $pmg_service_params = {
},
};
-my $smtp_filter_cfg = '/run/pmg-smtp-filter.cfg';
-my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter.cfg.lck';
+my $smtp_filter_cfg = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg';
+my $smtp_filter_cfg_lock = '/run/pmg-smtp-filter/pmg-smtp-filter.cfg.lck';
sub dump_smtp_filter_config {
my ($self) = @_;
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 04/11] create new users for the rule db
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 02/11] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 03/11] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 05/11] postinstall: add new group for shared functionality Maximiliano Sandoval
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
These users will be used by the pmg-smtp-filter and pmgpolicy. We add a
helper function to open the rule_db as a given user.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/postinst | 8 ++++++++
src/PMG/DBTools.pm | 26 ++++++++++++++++++++++++--
src/bin/pmg-smtp-filter | 4 ++--
src/bin/pmgpolicy | 6 +++---
4 files changed, 37 insertions(+), 7 deletions(-)
diff --git a/debian/postinst b/debian/postinst
index 98444d22..708350ec 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -48,6 +48,10 @@ migrate_apt_auth_conf() {
fi
}
+migrate_pmg_smtp_filter() {
+ pmgdb update >/dev/null 2>&1 &
+}
+
case "$1" in
triggered)
@@ -67,6 +71,10 @@ case "$1" in
if test ! -e /proxmox_install_mode ; then
+ if test -n "$2" && dpkg --compare-versions "$2" 'lt' '9.0.0'; then
+ migrate_pmg_smtp_filter
+ fi
+
pmgconf="/etc/pmg/pmg.conf"
if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.0.2'; then
# on upgrade add pre 8.0 default values for advfilter, use_awl and use_bayes
diff --git a/src/PMG/DBTools.pm b/src/PMG/DBTools.pm
index 1acc0cb6..7b5181ab 100644
--- a/src/PMG/DBTools.pm
+++ b/src/PMG/DBTools.pm
@@ -38,7 +38,7 @@ sub cgreylist_merge_sql {
}
sub open_ruledb {
- my ($database, $host, $port) = @_;
+ my ($database, $host, $port, $user) = @_;
$port //= 5432;
@@ -74,13 +74,19 @@ sub open_ruledb {
return $rdb;
} else {
my $dsn = "DBI:Pg:dbname=$database;host=/var/run/postgresql;port=$port";
- my $user = $> == 0 ? 'root' : 'www-data';
+ $user //= $> == 0 ? 'root' : 'www-data';
my $dbh = DBI->connect($dsn, $user, undef, { PrintError => 0, RaiseError => 1 });
return $dbh;
}
}
+sub open_ruledb_as {
+ my ($database, $user) = @_;
+
+ open_ruledb($database, undef, undef, $user);
+}
+
sub delete_ruledb {
my ($dbname) = @_;
@@ -609,6 +615,22 @@ sub upgradedb {
}
}
+ foreach my $user ('pmgpolicy', 'pmg-smtp-filter') {
+ eval {
+ my $silent_opts = { outfunc => sub {}, errfunc => sub {} };
+ postgres_admin_cmd('createuser', $silent_opts, '-D', $user);
+
+ $dbh->begin_work;
+ $dbh->do("GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO \"$user\"");
+ $dbh->do("GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"$user\"");
+ $dbh->commit;
+
+ };
+ if (my $err = $@) {
+ $dbh->rollback;
+ }
+ }
+
foreach my $table (keys %$tables) {
eval { $dbh->do("ANALYZE $table"); };
warn $@ if $@;
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index fcaaffc5..e95e6458 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -387,7 +387,7 @@ sub load_config {
PMG::MailQueue::create_spooldirs($self->{cinfo}->{local}->{cid});
eval {
- my $dbh = PMG::DBTools::open_ruledb ($database);
+ my $dbh = PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter');
$self->{ruledb} = PMG::RuleDB->new ($dbh);
# load rulecache
@@ -538,7 +538,7 @@ sub run_dequeue {
my $cinfo = PVE::INotify::read_file("cluster.conf");
- my $dbh = eval { PMG::DBTools::open_ruledb($database) };
+ my $dbh = eval { PMG::DBTools::open_ruledb_as($database, 'pmg-smtp-filter') };
if ($err = $@) {
$self->log (0, "ERROR: $err");
return;
diff --git a/src/bin/pmgpolicy b/src/bin/pmgpolicy
index 3f976ff7..92fb6f89 100755
--- a/src/bin/pmgpolicy
+++ b/src/bin/pmgpolicy
@@ -142,7 +142,7 @@ sub run_dequeue {
my $dbh;
eval {
- $dbh = PMG::DBTools::open_ruledb($database);
+ $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
};
my $err = $@;
@@ -343,7 +343,7 @@ sub load_config {
my $dbh;
eval {
- $dbh = PMG::DBTools::open_ruledb($database);
+ $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
$self->{ruledb} = PMG::RuleDB->new($dbh);
$self->{rulecache} = PMG::RuleCache->new($self->{ruledb});
};
@@ -523,7 +523,7 @@ sub greylist_value {
$self->log(0, 'Database connection broken - trying to reconnect');
my $dbh;
eval {
- $dbh = PMG::DBTools::open_ruledb($database);
+ $dbh = PMG::DBTools::open_ruledb_as($database, 'pmgpolicy');
};
my $err = $@;
if ($err) {
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 05/11] postinstall: add new group for shared functionality
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (2 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 04/11] create new users for the rule db Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 06/11] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
A shared group named 'pmg' is introduced for processes that need to be
accessible from multiple processes like spamassassin, rrdcached or the
mail queue at /var/spool/pmg.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-api.sysusers | 1 +
debian/postinst | 4 ++++
debian/rules | 2 +-
3 files changed, 6 insertions(+), 1 deletion(-)
create mode 100644 debian/pmg-api.sysusers
diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
new file mode 100644
index 00000000..a546c45f
--- /dev/null
+++ b/debian/pmg-api.sysusers
@@ -0,0 +1 @@
+g pmg - -
diff --git a/debian/postinst b/debian/postinst
index 708350ec..9af65ebf 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -49,6 +49,10 @@ migrate_apt_auth_conf() {
}
migrate_pmg_smtp_filter() {
+ systemd-sysusers
+
+ chown :pmg /var/lib/pmg
+
pmgdb update >/dev/null 2>&1 &
}
diff --git a/debian/rules b/debian/rules
index 3e150795..ea8f110c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ include debian/rules.env
export REPOID=${REPOID_GENERATED}
%:
- dh $@
+ dh $@ --with installsysusers
override_dh_installsystemd:
dh_installsystemd --no-start --no-stop-on-upgrade \
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 06/11] postinstall: make rrdcached be readable by the pmg group
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (3 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 05/11] postinstall: add new group for shared functionality Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 07/11] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/install | 1 +
debian/postinst | 5 +++++
debian/rrdcached-sockgroup.conf | 2 ++
3 files changed, 8 insertions(+)
create mode 100644 debian/rrdcached-sockgroup.conf
diff --git a/debian/install b/debian/install
index 35882f85..491dfdfd 100644
--- a/debian/install
+++ b/debian/install
@@ -11,3 +11,4 @@ debian/pmgreport.service /lib/systemd/system/
debian/pmgspamreport.service /lib/systemd/system/
debian/pmgsync.service /lib/systemd/system/
debian/pmgtunnel.service /lib/systemd/system/
+debian/rrdcached-sockgroup.conf /lib/systemd/system/rrdcached.service.d/
diff --git a/debian/postinst b/debian/postinst
index 9af65ebf..c12870fa 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,11 @@ migrate_pmg_smtp_filter() {
chown :pmg /var/lib/pmg
+ if systemctl --quiet is-active rrdcached.service ; then
+ systemctl daemon-reload
+ deb-systemd-invoke reload-or-try-restart rrdcached.service >/dev/null || true
+ fi
+
pmgdb update >/dev/null 2>&1 &
}
diff --git a/debian/rrdcached-sockgroup.conf b/debian/rrdcached-sockgroup.conf
new file mode 100644
index 00000000..bee76ac2
--- /dev/null
+++ b/debian/rrdcached-sockgroup.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment=SOCKGROUP=pmg
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 07/11] spamasassin: store files in dir managed by pmg
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (4 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 06/11] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 08/11] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
src/PMG/Config.pm | 8 ++++----
src/PMG/Report.pm | 2 +-
src/bin/pmg-smtp-filter | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 754cc791..89873f56 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1601,13 +1601,13 @@ sub rewrite_config_spam {
# delete AW and bayes databases if those features are disabled
if (!$use_awl) {
- $changes = 1 if unlink '/root/.spamassassin/auto-whitelist';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/auto-whitelist';
}
if (!$use_bayes) {
- $changes = 1 if unlink '/root/.spamassassin/bayes_journal';
- $changes = 1 if unlink '/root/.spamassassin/bayes_seen';
- $changes = 1 if unlink '/root/.spamassassin/bayes_toks';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_journal';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_seen';
+ $changes = 1 if unlink '/var/lib/pmg/spamassassin/bayes_toks';
}
# make sure we have the custom SA files (else cluster sync fails)
diff --git a/src/PMG/Report.pm b/src/PMG/Report.pm
index 79060a08..a93f00f2 100644
--- a/src/PMG/Report.pm
+++ b/src/PMG/Report.pm
@@ -125,7 +125,7 @@ sub check_dns_resolution {
debug => 0,
local_tests_only => 0,
home_dir_for_helpers => '/root',
- userstate_dir => '/root/.spamassassin',
+ userstate_dir => '/var/lib/pmg/spamassassin',
dont_copy_prefs => 1,
stop_at_threshold => 0,
});
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index e95e6458..f46d4ccf 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -460,7 +460,7 @@ sub pre_loop_hook {
debug => 0,
local_tests_only => $opt_testmode || !$rbl_checks,
home_dir_for_helpers => '/root',
- userstate_dir => '/root/.spamassassin',
+ userstate_dir => '/var/lib/pmg/spamassassin',
dont_copy_prefs => 1,
stop_at_threshold => 0,
});
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 08/11] mailqueue: make mail queue writable by pmg group
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (5 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 07/11] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 09/11] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/postinst | 9 +++++++++
src/PMG/MailQueue.pm | 7 ++++---
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/debian/postinst b/debian/postinst
index c12870fa..ba6497a0 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -53,6 +53,15 @@ migrate_pmg_smtp_filter() {
chown :pmg /var/lib/pmg
+ chown :pmg /var/spool/pmg/active
+ chown :pmg /var/spool/pmg/virus
+ chown :pmg /var/spool/pmg/spam
+ chown :pmg /var/spool/pmg/attachment
+ chmod g+w /var/spool/pmg/active
+ chmod g+w /var/spool/pmg/virus
+ chmod g+w /var/spool/pmg/spam
+ chmod g+w /var/spool/pmg/attachment
+
if systemctl --quiet is-active rrdcached.service ; then
systemctl daemon-reload
deb-systemd-invoke reload-or-try-restart rrdcached.service >/dev/null || true
diff --git a/src/PMG/MailQueue.pm b/src/PMG/MailQueue.pm
index 4e37cb98..adbf28c1 100644
--- a/src/PMG/MailQueue.pm
+++ b/src/PMG/MailQueue.pm
@@ -33,12 +33,13 @@ sub create_spooldirs {
"$spooldir/attachment",
]) if $cleanup;
- mkpath([
+ mkpath(
"$spooldir/active",
"$spooldir/spam",
"$spooldir/virus",
"$spooldir/attachment",
- ]);
+ { group=>'pmg', chmod=>0775 },
+ );
if ($lcid) {
mkpath "$spooldir/cluster/$lcid/virus";
@@ -68,7 +69,7 @@ sub new_fileid {
my $uid;
my $subsubdir = '';
- if (!($fh = IO::File->new ($path, 'w+', 0600))) {
+ if (!($fh = IO::File->new ($path, 'w+', 0660))) {
die "unable to create file '$path': $! : ERROR";
}
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 09/11] d/sysusers: add users for pmgpolicy and smtp-filter
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (6 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 08/11] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 10/11] pmgpolicy: set SumplementaryGroups=systemd-journal Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 11/11] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-api.sysusers | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/debian/pmg-api.sysusers b/debian/pmg-api.sysusers
index a546c45f..cf536230 100644
--- a/debian/pmg-api.sysusers
+++ b/debian/pmg-api.sysusers
@@ -1 +1,5 @@
g pmg - -
+u pmg-smtp-filter - "SMTP filter user"
+u pmgpolicy - "Mail policy user"
+m pmg-smtp-filter pmg -
+m pmgpolicy pmg -
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 10/11] pmgpolicy: set SumplementaryGroups=systemd-journal
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (7 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 09/11] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 11/11] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
We need access to the system journal.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmgpolicy.service | 1 +
1 file changed, 1 insertion(+)
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 21a403f0..200ade5f 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -13,6 +13,7 @@ ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/pmgpolicy/pmgpolicy.pid
Type=forking
RuntimeDirectory=pmgpolicy
+SupplementaryGroups=systemd-journal
[Install]
WantedBy=multi-user.target
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api v5 11/11] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
` (8 preceding siblings ...)
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 10/11] pmgpolicy: set SumplementaryGroups=systemd-journal Maximiliano Sandoval
@ 2025-04-04 13:14 ` Maximiliano Sandoval
9 siblings, 0 replies; 11+ messages in thread
From: Maximiliano Sandoval @ 2025-04-04 13:14 UTC (permalink / raw)
To: pmg-devel
New users 'pmg-smpt-filter' and 'pmgpolicy' are created for their
respective processes and we set their systemd units to use them.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
debian/pmg-smtp-filter.service | 2 ++
debian/pmgpolicy.service | 2 ++
2 files changed, 4 insertions(+)
diff --git a/debian/pmg-smtp-filter.service b/debian/pmg-smtp-filter.service
index c887dc2d..c4d5e385 100644
--- a/debian/pmg-smtp-filter.service
+++ b/debian/pmg-smtp-filter.service
@@ -16,6 +16,8 @@ Type=forking
Restart=on-abort
RestartSec=10
RuntimeDirectory=pmg-smtp-filter
+User=pmg-smtp-filter
+Group=pmg-smtp-filter
[Install]
WantedBy=multi-user.target
diff --git a/debian/pmgpolicy.service b/debian/pmgpolicy.service
index 200ade5f..275f6631 100644
--- a/debian/pmgpolicy.service
+++ b/debian/pmgpolicy.service
@@ -13,6 +13,8 @@ ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/pmgpolicy/pmgpolicy.pid
Type=forking
RuntimeDirectory=pmgpolicy
+User=pmgpolicy
+Group=pmgpolicy
SupplementaryGroups=systemd-journal
[Install]
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-04-04 13:15 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-04 13:14 [pmg-devel] [PATCH pmg-api v5 01/11] pmgpolicy: move pid file into /run/pmgpolicy Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 02/11] pmg-smtp-filter: move pid file into /run/pmg-smtp-filter Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 03/11] config: store config lock in smtp-filter runtime dir Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 04/11] create new users for the rule db Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 05/11] postinstall: add new group for shared functionality Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 06/11] postinstall: make rrdcached be readable by the pmg group Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 07/11] spamasassin: store files in dir managed by pmg Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 08/11] mailqueue: make mail queue writable by pmg group Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 09/11] d/sysusers: add users for pmgpolicy and smtp-filter Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 10/11] pmgpolicy: set SumplementaryGroups=systemd-journal Maximiliano Sandoval
2025-04-04 13:14 ` [pmg-devel] [PATCH pmg-api v5 11/11] fix #4926: run pmg-smtp-filter and pmgpolicy without root rights Maximiliano Sandoval
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal