docs: Fix note about the required Postfix rights

The permissions for the user running the postfix process are
not the ones used for external file or command delivery by default.
The ones defined by default_privs are (in case the aliases(5) file
that is owned by root was being used). A privileged user or the
postfix owner should not be used in this case.

See http://www.postfix.org/postconf.5.html#default_privs and
local(8).

Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
---
 docs/deployment/installation.rst | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Hi Ali,

> The permissions for the user running the postfix process are
> not the ones used for external file or command delivery by default.
> The ones defined by default_privs are (in case the aliases(5) file
> that is owned by root was being used). A privileged user or the
> postfix owner should not be used in this case.
>
> See http://www.postfix.org/postconf.5.html#default_privs and
> local(8).
>
> Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
> ---
>  docs/deployment/installation.rst | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/docs/deployment/installation.rst b/docs/deployment/installation.rst
> index c086d9a..cd5e102 100644
> --- a/docs/deployment/installation.rst
> +++ b/docs/deployment/installation.rst
> @@ -617,11 +617,11 @@ they can be loaded as seen below:
>  
>  .. note::
>  
> -   This assumes your Postfix process is running as the ``nobody`` user.  If
> -   this is not correct (use of ``postfix`` user is also common), you should
> -   change both the username in the ``createuser`` command above and substitute
> -   the username in the ``grant-all-postgres.sql`` script with the appropriate
> -   alternative.
> +   This assumes that you are using the aliases(5) file that is owned by root,
> +   and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
> +   this is not the case, you should change both the username in the ``createuser``
> +   command above and substitute the username in the ``grant-all-postgres.sql``
> +   script with the appropriate alternative.
>  

I think this is now the third time I've tried to review this, and I
think it's finally starting to make sense.

Is there any way local(8) could be invoked with a user other than the
one specified in default_privs?

btw, it should be grant-all.postgres.sql (a . not a - between all and
postgres) but if this doesn't need a respin I can fix that when I apply
it.

Regards,
Daniel
>  __ http://www.postfix.org/
>  
> -- 
> 2.11.0
>
> _______________________________________________
> Patchwork mailing list
> Patchwork@lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/patchwork

Hi Daniel,

> -----Original Message-----
> From: Daniel Axtens <dja@axtens.net>
> Sent: Tuesday, October 29, 2019 8:06 AM
> To: Ali Alnubani <alialnu@mellanox.com>; patchwork@lists.ozlabs.org
> Cc: Thomas Monjalon <thomas@monjalon.net>
> Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
> 
> Hi Ali,
> 
> > The permissions for the user running the postfix process are not the
> > ones used for external file or command delivery by default.
> > The ones defined by default_privs are (in case the aliases(5) file
> > that is owned by root was being used). A privileged user or the
> > postfix owner should not be used in this case.
> >
> > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
> >
> > Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
> > ---
> >  docs/deployment/installation.rst | 10 +++++-----
> >  1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/docs/deployment/installation.rst
> > b/docs/deployment/installation.rst
> > index c086d9a..cd5e102 100644
> > --- a/docs/deployment/installation.rst
> > +++ b/docs/deployment/installation.rst
> > @@ -617,11 +617,11 @@ they can be loaded as seen below:
> >
> >  .. note::
> >
> > -   This assumes your Postfix process is running as the ``nobody`` user.  If
> > -   this is not correct (use of ``postfix`` user is also common), you should
> > -   change both the username in the ``createuser`` command above and
> substitute
> > -   the username in the ``grant-all-postgres.sql`` script with the appropriate
> > -   alternative.
> > +   This assumes that you are using the aliases(5) file that is owned by root,
> > +   and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
> > +   this is not the case, you should change both the username in the
> ``createuser``
> > +   command above and substitute the username in the ``grant-all-
> postgres.sql``
> > +   script with the appropriate alternative.
> >
> 
> I think this is now the third time I've tried to review this, and I think it's finally
> starting to make sense.
> 
> Is there any way local(8) could be invoked with a user other than the one
> specified in default_privs?

Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
http://www.postfix.org/local.8.html
http://www.postfix.org/postconf.5.html#forward_path 

> 
> btw, it should be grant-all.postgres.sql (a . not a - between all and
> postgres) but if this doesn't need a respin I can fix that when I apply it.
Thanks.

Regards,
Ali

On Tue, 2019-10-29 at 08:08 +0000, Ali Alnubani wrote:
> Hi Daniel,
> 
> > -----Original Message-----
> > From: Daniel Axtens <dja@axtens.net>
> > Sent: Tuesday, October 29, 2019 8:06 AM
> > To: Ali Alnubani <alialnu@mellanox.com>; patchwork@lists.ozlabs.org
> > Cc: Thomas Monjalon <thomas@monjalon.net>
> > Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
> > 
> > Hi Ali,
> > 
> > > The permissions for the user running the postfix process are not the
> > > ones used for external file or command delivery by default.
> > > The ones defined by default_privs are (in case the aliases(5) file
> > > that is owned by root was being used). A privileged user or the
> > > postfix owner should not be used in this case.
> > > 
> > > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
> > > 
> > > Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
> > > ---
> > >  docs/deployment/installation.rst | 10 +++++-----
> > >  1 file changed, 5 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/docs/deployment/installation.rst
> > > b/docs/deployment/installation.rst
> > > index c086d9a..cd5e102 100644
> > > --- a/docs/deployment/installation.rst
> > > +++ b/docs/deployment/installation.rst
> > > @@ -617,11 +617,11 @@ they can be loaded as seen below:
> > > 
> > >  .. note::
> > > 
> > > -   This assumes your Postfix process is running as the ``nobody`` user.  If
> > > -   this is not correct (use of ``postfix`` user is also common), you should
> > > -   change both the username in the ``createuser`` command above and
> > substitute
> > > -   the username in the ``grant-all-postgres.sql`` script with the appropriate
> > > -   alternative.
> > > +   This assumes that you are using the aliases(5) file that is owned by root,
> > > +   and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
> > > +   this is not the case, you should change both the username in the
> > ``createuser``
> > > +   command above and substitute the username in the ``grant-all-
> > postgres.sql``
> > > +   script with the appropriate alternative.
> > > 
> > 
> > I think this is now the third time I've tried to review this, and I think it's finally
> > starting to make sense.
> > 
> > Is there any way local(8) could be invoked with a user other than the one
> > specified in default_privs?
> 
> Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
> http://www.postfix.org/local.8.html
> http://www.postfix.org/postconf.5.html#forward_path 
> 
> > btw, it should be grant-all.postgres.sql (a . not a - between all and
> > postgres) but if this doesn't need a respin I can fix that when I apply it.

ngl, this doesn't make a whole lot of sense to me, but I trust that
you've done your homework on this and that it's based on hard earned
experience :)

Reviewed-by: Stephen Finucane <stephen@that.guru>

and applied (with the change noted by Daniel).

> Thanks.
> 
> Regards,
> Ali

Stephen Finucane <stephen@that.guru> writes:

> On Tue, 2019-10-29 at 08:08 +0000, Ali Alnubani wrote:
>> Hi Daniel,
>> 
>> > -----Original Message-----
>> > From: Daniel Axtens <dja@axtens.net>
>> > Sent: Tuesday, October 29, 2019 8:06 AM
>> > To: Ali Alnubani <alialnu@mellanox.com>; patchwork@lists.ozlabs.org
>> > Cc: Thomas Monjalon <thomas@monjalon.net>
>> > Subject: Re: [PATCH] docs: Fix note about the required Postfix rights
>> > 
>> > Hi Ali,
>> > 
>> > > The permissions for the user running the postfix process are not the
>> > > ones used for external file or command delivery by default.
>> > > The ones defined by default_privs are (in case the aliases(5) file
>> > > that is owned by root was being used). A privileged user or the
>> > > postfix owner should not be used in this case.
>> > > 
>> > > See http://www.postfix.org/postconf.5.html#default_privs and local(8).
>> > > 
>> > > Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
>> > > ---
>> > >  docs/deployment/installation.rst | 10 +++++-----
>> > >  1 file changed, 5 insertions(+), 5 deletions(-)
>> > > 
>> > > diff --git a/docs/deployment/installation.rst
>> > > b/docs/deployment/installation.rst
>> > > index c086d9a..cd5e102 100644
>> > > --- a/docs/deployment/installation.rst
>> > > +++ b/docs/deployment/installation.rst
>> > > @@ -617,11 +617,11 @@ they can be loaded as seen below:
>> > > 
>> > >  .. note::
>> > > 
>> > > -   This assumes your Postfix process is running as the ``nobody`` user.  If
>> > > -   this is not correct (use of ``postfix`` user is also common), you should
>> > > -   change both the username in the ``createuser`` command above and
>> > substitute
>> > > -   the username in the ``grant-all-postgres.sql`` script with the appropriate
>> > > -   alternative.
>> > > +   This assumes that you are using the aliases(5) file that is owned by root,
>> > > +   and that Postfix's ``default_privs`` configuration is set as ``nobody``. If
>> > > +   this is not the case, you should change both the username in the
>> > ``createuser``
>> > > +   command above and substitute the username in the ``grant-all-
>> > postgres.sql``
>> > > +   script with the appropriate alternative.
>> > > 
>> > 
>> > I think this is now the third time I've tried to review this, and I think it's finally
>> > starting to make sense.
>> > 
>> > Is there any way local(8) could be invoked with a user other than the one
>> > specified in default_privs?
>> 
>> Yes. It's possible with user-level aliasing. You can create an aliases file that is owned by that user and added to alias_maps, or use the default forward_path (usually $home/.forward)
>> http://www.postfix.org/local.8.html
>> http://www.postfix.org/postconf.5.html#forward_path 
>> 
>> > btw, it should be grant-all.postgres.sql (a . not a - between all and
>> > postgres) but if this doesn't need a respin I can fix that when I apply it.
>
> ngl, this doesn't make a whole lot of sense to me, but I trust that
> you've done your homework on this and that it's based on hard earned
> experience :)

Yeah, I was contemplating a slightly wider-ranging rewrite but could
never quite put pen to paper on how to do it. I agree that just apply it
is the way to go.

>
> Reviewed-by: Stephen Finucane <stephen@that.guru>
>
> and applied (with the change noted by Daniel).
>
>> Thanks.
>> 
>> Regards,
>> Ali