diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2018-10-15 13:12:06 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2018-10-15 13:14:41 +0100 |
commit | 91ddc9d27f669e1dc09012cc7577377bf4e90e69 (patch) | |
tree | 6a0a6012d01414d48839cdcc618e4d503a3c8db8 /nixos/modules/services/mail | |
parent | b7d39746782d442d4a2fe0b118dfcdfe329badfb (diff) | |
download | nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.tar nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.tar.gz nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.tar.bz2 nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.tar.lz nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.tar.xz nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.tar.zst nixlib-91ddc9d27f669e1dc09012cc7577377bf4e90e69.zip |
postfix: add setgid wrapper for postqueue/postdrop
Both postqueue[1] and postdrop[2] implement a subset of administration task that are supposed to be run unprivileged users and require the setgid bit to full-fill this task. [1] http://www.postfix.org/postqueue.1.html [2] http://www.postfix.org/postdrop.1.html
Diffstat (limited to 'nixos/modules/services/mail')
-rw-r--r-- | nixos/modules/services/mail/postfix.nix | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 33249aa3e554..d43733484ffa 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -602,7 +602,7 @@ in target = "postfix"; }; - # This makes comfortable for root to run 'postqueue' for example. + # This makes it comfortable to run 'postqueue/postdrop' for example. systemPackages = [ pkgs.postfix ]; }; @@ -616,6 +616,22 @@ in setgid = true; }; + security.wrappers.postqueue = { + program = "postqueue"; + source = "${pkgs.postfix}/bin/postqueue"; + group = setgidGroup; + setuid = false; + setgid = true; + }; + + security.wrappers.postdrop = { + program = "postdrop"; + source = "${pkgs.postfix}/bin/postdrop"; + group = setgidGroup; + setuid = false; + setgid = true; + }; + users.users = optional (user == "postfix") { name = "postfix"; description = "Postfix mail server user"; |