If it's feasible, turn on command execution in postfix, make sure it's using a private aliases file, and do a "|/whatever" in its global aliases - if the original recipient does NOT have a matching userid, I believe you can have that command run as root. Running out the door, can't check, but that just occurred to me. -Adam
Get Outlook for Androidhttps://aka.ms/AAb9ysg ________________________________ From: Roundtable roundtable-bounces@muug.ca on behalf of Adam Thompson athompso@athompso.net Sent: Monday, April 17, 2023 7:58:29 AM To: Continuation of Round Table discussion roundtable@muug.ca Subject: Re: [RndTbl] "washing" a fork/exec to force all groups
Why: "security". I don't recall the details, but I think I remember this change - quite a long time ago, and it never affected me.
The more general solution is broadly accepted to be: stop using procmail. It's ancient, unmaintained code that doesn't meet modern <anything> standards. Ask about procmail problems on any of the MTA mailing lists and you will be soundly and roundly flamed for still using it.
If you use Dovecot, you already have a full SIEVE implementation. Of course procmail can do dangerous things that SIEVE refuses to do, but for most sane needs, it's IMHO far superior to .procmailrc syntax. Much like switching from sendmail syntax to postfix syntax. You might consider that a bug, not a feature, YMMV.
Penultimately, I think you want procmail to be setuid root, and invoke it with the "-d" flag. It doesn't get installed setuid anymore because (see above) it's ancient, unmaintained, and believed to not be safe to invoke as root.
As to sudo, the usual solution is to put your users in a group and allow the group instead of the user. You could "rootwash" procmail itself by using a wrapper script that sudo's procmail instead of having procmail sudo php. You could theoretically have postfix invoke "sudo postfix" but that might be more trouble than it's worth.
If you don't have root on the box? Just use .forward files. First character on the first line is "|" = exactly what you're doing with procmail. Wait, you still have the secondary group problem, so maybe SSH to localhost to get the grous back? I'm not sure how to regain secondary groups without a root process adding them, sorry. -Adam
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: Monday, April 17, 2023 3:52 AM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] "washing" a fork/exec to force all groups
Just ran into this:
https://stackoverflow.com/questions/8568596/procmail-disregards-etc-group#
Postfix is doing something before/while it calls procmail for local delivery which strips all but the primary group of the recipient. This means any complicated pipe I have setup in procmail which relies on secondary groups fails with read perm errors.
Sendmail doesn't do this stupidity (yay)! But I needed to (argh finally) use postfix on a box that needed 2 MTAs installed (and sendmail couldn't, in the end, do it properly).
I consider the current stackoverflow answer to be a non-answer because Fedora/RHEL doesn't install procmail setgid/setuid anymore, and I don't want to fudge u+s g+s on every dnf update!
I've solved the problem by "washing" the procmail piped-to command through sudo. I had to add to sudoers: fooman ALL=(fooman) NOPASSWD: /bin/php
and change my procmail recipe pipe to: | /bin/sudo -u fooman /bin/php /needs/secondary/groups/to/read.php
Ok great, it all works with postfix now just like it did with sendmail.
The tricky question for you uber *nix geeks is: Can I achieve the same thing without the sudoers entry? In other words, is there a way to achieve this without root access, if someone didn't have root on the box, say.
Too bad sudo isn't smart enough to say "hey, user fooman can run anything as user fooman" without a specific entry. Maybe an option for postfix? Maybe some magic sudo or su can do?
Is an option to procmail possible or is this a problem that can *only* be solved by washing the call, somewhere along the line, through a setuid program (because once stripped by postfix they are gone forever)?
I wonder why sendmail doesn't chop off the groups but postfix does. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
_______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable