Merge pull request #12459 from avnik/fix-var-lib-postfix-permissions

Make /var/lib/postfix world-readable
author: Peter Simons <simons@cryp.to> 2016-01-22 17:25:07 +0100
committer: Peter Simons <simons@cryp.to> 2016-01-22 17:25:07 +0100
commit: e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6 (patch)
tree: 17974bc603b2be40b6163f47cc06b4ca58d234ec
parent: b076c780051587a8940c0fab9f083eef260a700d (diff)
parent: 39bd9be5a9dc8d8efe6016e3234302ab027dc4cf (diff)
download: nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar
nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.gz
nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.bz2
nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.lz
nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.xz
nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.zst
nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.zip
3 files changed, 62 insertions, 9 deletions
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index 6c5d7e92702b..f2d8189de6ef 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -20,6 +20,23 @@ let
       mail_owner = ${user}
       default_privs = nobody
 
+      # NixOS specific locations
+      data_directory = /var/lib/postfix/data
+      queue_directory = /var/lib/postfix/queue
+
+      # Default location of everything in package
+      meta_directory = ${pkgs.postfix}/etc/postfix
+      command_directory = ${pkgs.postfix}/bin
+      sample_directory = /etc/postfix
+      newaliases_path = ${pkgs.postfix}/bin/newaliases
+      mailq_path = ${pkgs.postfix}/bin/mailq
+      readme_directory = no
+      sendmail_path = ${pkgs.postfix}/bin/sendmail
+      daemon_directory = ${pkgs.postfix}/libexec/postfix
+      manpage_directory = ${pkgs.postfix}/share/man
+      html_directory = ${pkgs.postfix}/share/postfix/doc/html
+      shlib_directory = no
+
     ''
     + optionalString config.networking.enableIPv6 ''
       inet_protocols = all
@@ -435,31 +452,35 @@ in
               mkdir -p /var/lib
               mv /var/postfix /var/lib/postfix
             fi
-            mkdir -p /var/lib/postfix/data /var/lib/postfix/queue/{pid,public,maildrop}
 
-            chown -R ${user}:${group} /var/lib/postfix
-            chown root /var/lib/postfix/queue
-            chown root /var/lib/postfix/queue/pid
-            chgrp -R ${setgidGroup} /var/lib/postfix/queue/{public,maildrop}
-            chmod 770 /var/lib/postfix/queue/{public,maildrop}
+            # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script
+            mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop}
+            chmod 0755 /var/lib/postfix
+            chown root:root /var/lib/postfix
 
             rm -rf /var/lib/postfix/conf
             mkdir -p /var/lib/postfix/conf
+            chmod 0755 /var/lib/postfix/conf
+            ln -sf ${pkgs.postfix}/etc/postfix/postfix-files
             ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf
             ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf
+
             ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
               ln -sf ${from} /var/lib/postfix/conf/${to}
-              postalias /var/lib/postfix/conf/${to}
+              ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
             '') cfg.aliasFiles)}
             ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
               ln -sf ${from} /var/lib/postfix/conf/${to}
-              postmap /var/lib/postfix/conf/${to}
+              ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
             '') cfg.mapFiles)}
 
             mkdir -p /var/spool/mail
             chown root:root /var/spool/mail
             chmod a+rwxt /var/spool/mail
             ln -sf /var/spool/mail /var/
+
+            #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
+            ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
           '';
         };
     }
diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix
index 57c529ac0b65..9ea151e597bb 100644
--- a/pkgs/servers/mail/postfix/3.0.nix
+++ b/pkgs/servers/mail/postfix/3.0.nix
@@ -35,10 +35,14 @@ in stdenv.mkDerivation rec {
                 ++ lib.optional withMySQL libmysql
                 ++ lib.optional withSQLite sqlite;
 
-  patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ];
+  patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ./post-install-script.patch ];
 
   preBuild = ''
     sed -e '/^PATH=/d' -i postfix-install
+    sed -e "s|@PACKAGE@|$out|" -i conf/post-install
+
+    # post-install need skip permissions check/set on all symlinks following to /nix/store
+    sed -e "s|@NIX_STORE@|$NIX_STORE|" -i conf/post-install
 
     export command_directory=$out/sbin
     export config_directory=/etc/postfix
diff --git a/pkgs/servers/mail/postfix/post-install-script.patch b/pkgs/servers/mail/postfix/post-install-script.patch
new file mode 100644
index 000000000000..350fbf929b74
--- /dev/null
+++ b/pkgs/servers/mail/postfix/post-install-script.patch
@@ -0,0 +1,28 @@
+--- a/conf/post-install	1970-01-01 03:00:01.000000000 +0300
++++ b/conf/post-install	2016-01-20 13:25:18.382233172 +0200
+@@ -254,6 +254,8 @@
+ }
+ 
+ # Bootstrapping problem.
++meta_directory="@PACKAGE@/etc/postfix"
++command_directory="@PACKAGE@/bin"
+ 
+ if [ -n "$command_directory" ]
+ then
+@@ -528,7 +530,16 @@
+ 	    # Skip uninstalled files.
+ 	    case $path in
+ 	    no|no/*) continue;;
++        # Skip immutable files from package, correct permissions provided by Nix.
++        @PACKAGE@/*) continue;
+ 	    esac
++        # Also skip symlinks following to /nix/store
++        if test -L $path; then
++            case "$(readlink $path)" in
++                @NIX_STORE@/*) continue;
++            esac
++        fi
++
+ 	    # Pick up the flags.
+ 	    case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
+ 	    case $flags in *c*) create_flag=1;; *) create_flag=;; esac
author	Peter Simons <simons@cryp.to>	2016-01-22 17:25:07 +0100
committer	Peter Simons <simons@cryp.to>	2016-01-22 17:25:07 +0100
commit	e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6 (patch)
tree	17974bc603b2be40b6163f47cc06b4ca58d234ec
parent	b076c780051587a8940c0fab9f083eef260a700d (diff)
parent	39bd9be5a9dc8d8efe6016e3234302ab027dc4cf (diff)
download	nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.gz nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.bz2 nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.lz nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.xz nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.tar.zst nixlib-e6d42dfe04e289373d1ef6169d37c8c5ec6c55c6.zip