Patch update concerning the creation of the chroot:
1. Made copying of files other than regular files possible, this
is useful for links and files like /dev/urandom. Directories are
still skipped.
2. Made sure that the postfix user is able to read files in the chroot
that are not group readable on their original location. As the
default group ownership is postfix, I just added chmod g+r on the
chroot file.
3. If files were world-writable on their original location, make it
also writable for the postfix group in the chroot.
Durk
--- postfix-2.5.5-orig/debian/init.d 2008-10-31 13:59:26.000000000 +0100
+++ postfix-2.5.5/debian/init.d 2008-12-12 11:45:58.000000000 +0100
@@ -25,6 +25,8 @@
# Defaults - don't touch, edit /etc/default/postfix
SYNC_CHROOT="y"
+CHROOT_FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+ etc/nsswitch.conf etc/nss_mdns.config"
test -f /etc/default/postfix && . /etc/default/postfix
@@ -45,6 +47,60 @@
fi
}
+update_chroot() {
+ # see if anything is running chrooted.
+ NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
+
+ if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+ # Make sure that the chroot environment is set up correctly.
+ oldumask=$(umask)
+ umask 027
+ cd $(postconf -h queue_directory)
+
+ # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
+ smtp_tls_security_level=$(postconf -h smtp_tls_security_level)
+ smtp_use_tls=$(postconf -h smtp_use_tls)
+ smtpd_tls_security_level=$(postconf -h smtpd_tls_security_level)
+ smtpd_use_tls=$(postconf -h smtpd_use_tls)
+ if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" \
+ -o "X$smtp_tls_security_level" != "X" -a "X$smtp_tls_security_level" != "Xnone" \
+ -o "X$smtpd_tls_security_level" != "X" -a "X$smtpd_tls_security_level" != "Xnone" ]; then
+ if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+ mkdir -p etc/ssl/certs
+ cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
+ chgrp -R postfix etc
+ chmod g+r etc/ssl/certs/ca-certificates.crt
+ fi
+ fi
+
+ # if we're using unix:passwd.byname, then we need to add etc/passwd.
+ local_maps=$(postconf -h local_recipient_maps)
+ if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+ if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+ sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+ chgrp postfix etc/passwd
+ fi
+ fi
+
+ for file in $CHROOT_FILES; do
+ if [ ! -d ${file%/*} ]; then mkdir -p ${file%/*} && chgrp -R postfix ${file%%/*}; fi
+ if [ -e /${file} ] && [ ! -d ${file} ]; then rm -f ${file} && cp -r /${file} ${file}; fi
+ if [ -e ${file} ] && [ ! -L ${file} ]; then
+ chgrp postfix ${file}
+ chmod g+rX ${file}
+ if ( stat -c%A /${file} | grep -q 'w.$' ) ; then chmod g+w ${file} ; fi
+ fi
+ done
+ rm -f usr/lib/zoneinfo/localtime
+ mkdir -p usr/lib/zoneinfo
+ ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+ rm -f lib/libnss_*so*
+ tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
+ umask $oldumask
+ fi
+}
+
+
case "$1" in
start)
log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
@@ -65,48 +121,7 @@
exit 1
fi
- # see if anything is running chrooted.
- NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
-
- if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
- # Make sure that the chroot environment is set up correctly.
- oldumask=$(umask)
- umask 022
- cd $(postconf -h queue_directory)
-
- # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
- smtp_use_tls=$(postconf -h smtp_use_tls)
- smtpd_use_tls=$(postconf -h smtpd_use_tls)
- if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" ]; then
- if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
- mkdir -p etc/ssl/certs
- cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
- fi
- fi
-
- # if we're using unix:passwd.byname, then we need to add etc/passwd.
- local_maps=$(postconf -h local_recipient_maps)
- if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
- if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
- sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
- chmod a+r etc/passwd
- fi
- fi
-
- FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
- etc/nsswitch.conf etc/nss_mdns.config"
- for file in $FILES; do
- [ -d ${file%/*} ] || mkdir -p ${file%/*}
- if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
- if [ -f ${file} ]; then chmod a+rX ${file}; fi
- done
- rm -f usr/lib/zoneinfo/localtime
- mkdir -p usr/lib/zoneinfo
- ln -sf /etc/localtime usr/lib/zoneinfo/localtime
- rm -f lib/libnss_*so*
- tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
- umask $oldumask
- fi
+ update_chroot
if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then
log_end_msg 0
@@ -159,8 +174,14 @@
${DAEMON} $1
;;
+ update-chroot)
+ log_action_begin_msg "Updating the Postfix chroot"
+ update_chroot
+ log_action_end_msg 0
+ ;;
+
*)
- log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
+ log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload|update-chroot}"
exit 1
;;
esac
