Merge pull request #48460 from Mic92/postfix-setuid

postfix: add setgid wrapper for postqueue/postdrop
2018-10-17 14:48:43 +01:00 · 2018-10-17 14:48:43 +01:00 · f6ded23889
parent 2ed287720e 91ddc9d27f
commit f6ded23889
1 changed files with 17 additions and 1 deletions
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -602,7 +602,7 @@ in
            target = "postfix";
          };

-        # This makes comfortable for root to run 'postqueue' for example.
+        # This makes it comfortable to run 'postqueue/postdrop' for example.
        systemPackages = [ pkgs.postfix ];
      };

@ -616,6 +616,22 @@ in
        setgid = true;
      };

+      security.wrappers.postqueue = {
+        program = "postqueue";
+        source = "${pkgs.postfix}/bin/postqueue";
+        group = setgidGroup;
+        setuid = false;
+        setgid = true;
+      };
+
+      security.wrappers.postdrop = {
+        program = "postdrop";
+        source = "${pkgs.postfix}/bin/postdrop";
+        group = setgidGroup;
+        setuid = false;
+        setgid = true;
+      };
+
      users.users = optional (user == "postfix")
        { name = "postfix";
          description = "Postfix mail server user";