[RndTbl] "washing" a fork/exec to force all groups

Trevor Cordes trevor at tecnopolis.ca
Mon Apr 17 03:51:47 CDT 2023

Just ran into this:


Postfix is doing something before/while it calls procmail for local
delivery which strips all but the primary group of the recipient.  This
means any complicated pipe I have setup in procmail which relies on
secondary groups fails with read perm errors.

Sendmail doesn't do this stupidity (yay)!  But I needed to (argh finally)
use postfix on a box that needed 2 MTAs installed (and sendmail couldn't,
in the end, do it properly).

I consider the current stackoverflow answer to be a non-answer because
Fedora/RHEL doesn't install procmail setgid/setuid anymore, and I don't
want to fudge u+s g+s on every dnf update!

I've solved the problem by "washing" the procmail piped-to command through
sudo.  I had to add to sudoers:
fooman	ALL=(fooman) NOPASSWD: /bin/php

and change my procmail recipe pipe to:
| /bin/sudo -u fooman /bin/php /needs/secondary/groups/to/read.php

Ok great, it all works with postfix now just like it did with sendmail.

The tricky question for you uber *nix geeks is: Can I achieve the same
thing without the sudoers entry?  In other words, is there a way to
achieve this without root access, if someone didn't have root on the box,

Too bad sudo isn't smart enough to say "hey, user fooman can run anything
as user fooman" without a specific entry.  Maybe an option for postfix?
Maybe some magic sudo or su can do?

Is an option to procmail possible or is this a problem that can *only* be
solved by washing the call, somewhere along the line, through a setuid
program (because once stripped by postfix they are gone forever)?

I wonder why sendmail doesn't chop off the groups but postfix does.

More information about the Roundtable mailing list