Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#77701 - [nullmailer] set spool permissions to 0770, so we can use NoNewPrivileges=true

Attached to Project: Community Packages
Opened by carlenny (carlenny) - Thursday, 02 March 2023, 13:16 GMT
Last edited by Toolybird (Toolybird) - Monday, 06 March 2023, 20:25 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

nullmailer-queue runs as setuid. Thus the nullmailer spool directory have permissions 0700. This however makes it impossible to be used in a sandboxed systemd service which has "NoNewPrivileges=true", because setuid can't be used by such a service.

Injectig emails from a sandboxed service would probably work if the spool directory had permissions 0770. Then we could add "SupplementaryGroups=nullmail" in the systemd service file and would not depend on setuid/setgid.

So I'd suggest to change the permissions in nullmailer.tmpfiles to:

d /var/spool/nullmailer/queue 0770 nullmail nullmail - -

Else I'd just place my own version of the file in /etc/tmpfiles.d/. But fixing it in the package would be a cleaner way.
Thank you!
This task depends upon

Closed by  Toolybird (Toolybird)
Monday, 06 March 2023, 20:25 GMT
Reason for closing:  Won't implement
Additional comments about closing:  See comments
Comment by carlenny (carlenny) - Thursday, 02 March 2023, 13:17 GMT
Typo in the first line: the spool directory currently has permissions 0700, of course.
Comment by Toolybird (Toolybird) - Friday, 03 March 2023, 01:43 GMT
Related:  FS#62404  and  FS#62371 

> would probably work

? Either it works or it doesn't. This kind of thing should be tested before submitting a feature request.
Comment by carlenny (carlenny) - Monday, 06 March 2023, 16:07 GMT
You're right. Sorry, I had been in a hurry and was a bit too optimistic.

I've tested it, and it does not work. First, /var/spool/nullmailer/tmp and /var/spool/nullmailer/trigger must also have permissions 0770 and 0660. Then nullmailer-inject does work, but the injected files belong to the user and group of my service, so nullmailer-send can't open them.

So it's probably easier to remove NoNewPrivileges=true (and all lines that imply it) from my service.

Loading...