fix: Drop special bits from Postfix `maildrop/` and `public/` directory permissions (#3625)

* update K8s deployment Because `allowPrivilegeEscalation` controls SUID/SGID, we require it when postdrop is invoked. * correct permissions for maildrop/public The reason our permissions previously worked out as that in setups where SUID/SGID worked, the binaries used to place files in these directories already have SGID set; the current set of permissions makes less sense (as explained in this comment: https://github.com/docker-mailserver/docker-mailserver/issues/3619#issuecomment-1793816412) Since the binaries used to place files inside these directories alredy have SUID/SGID set, we do not require these bits (or the sticky bit) to be set on the directories. * Apply suggestions from code review --------- Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-11-10 19:57:17 +01:00 · 2023-11-10 19:57:17 +01:00 · 26214491ef
parent 0703e01492
commit 26214491ef
2 changed files with 8 additions and 5 deletions
--- a/docs/content/config/advanced/kubernetes.md
+++ b/docs/content/config/advanced/kubernetes.md
@ -190,7 +190,10 @@ spec:
          imagePullPolicy: IfNotPresent

          securityContext:
-            allowPrivilegeEscalation: false
+            # Required to support SGID via `postdrop` executable
+            # in `/var/mail-state` for Postfix (maildrop + public dirs):
+            # https://github.com/docker-mailserver/docker-mailserver/pull/3625
+            allowPrivilegeEscalation: true
            readOnlyRootFilesystem: false
            runAsUser: 0
            runAsGroup: 0
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@ -105,10 +105,10 @@ function _setup_save_states() {
    # These two require the postdrop(103) group:
    chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}

-    # After changing the group, special bits (set-gid, sticky) may be stripped, restore them:
-    # Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3149#issuecomment-1454981309
-    chmod 1730 "${STATEDIR}/spool-postfix/maildrop"
-    chmod 2710 "${STATEDIR}/spool-postfix/public"
+    # These permissions rely on the `postdrop` binary having the SGID bit set.
+    # Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3625
+    chmod 730 "${STATEDIR}/spool-postfix/maildrop"
+    chmod 710 "${STATEDIR}/spool-postfix/public"
  elif [[ ${ONE_DIR} -eq 1 ]]; then
    _log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
  else