FS#77701 - [nullmailer] set spool permissions to 0770, so we can use NoNewPrivileges=true
Attached to Project:
Community Packages
Opened by carlenny (carlenny) - Thursday, 02 March 2023, 13:16 GMT
Last edited by Toolybird (Toolybird) - Monday, 06 March 2023, 20:25 GMT
Opened by carlenny (carlenny) - Thursday, 02 March 2023, 13:16 GMT
Last edited by Toolybird (Toolybird) - Monday, 06 March 2023, 20:25 GMT
|
Details
nullmailer-queue runs as setuid. Thus the nullmailer spool
directory have permissions 0700. This however makes it
impossible to be used in a sandboxed systemd service which
has "NoNewPrivileges=true", because setuid can't be used by
such a service.
Injectig emails from a sandboxed service would probably work if the spool directory had permissions 0770. Then we could add "SupplementaryGroups=nullmail" in the systemd service file and would not depend on setuid/setgid. So I'd suggest to change the permissions in nullmailer.tmpfiles to: d /var/spool/nullmailer/queue 0770 nullmail nullmail - - Else I'd just place my own version of the file in /etc/tmpfiles.d/. But fixing it in the package would be a cleaner way. Thank you! |
This task depends upon
Closed by Toolybird (Toolybird)
Monday, 06 March 2023, 20:25 GMT
Reason for closing: Won't implement
Additional comments about closing: See comments
Monday, 06 March 2023, 20:25 GMT
Reason for closing: Won't implement
Additional comments about closing: See comments
FS#62404andFS#62371> would probably work
? Either it works or it doesn't. This kind of thing should be tested before submitting a feature request.
I've tested it, and it does not work. First, /var/spool/nullmailer/tmp and /var/spool/nullmailer/trigger must also have permissions 0770 and 0660. Then nullmailer-inject does work, but the injected files belong to the user and group of my service, so nullmailer-send can't open them.
So it's probably easier to remove NoNewPrivileges=true (and all lines that imply it) from my service.