Bug 107100 - no supplemental groups for postfix delivery agent
Summary: no supplemental groups for postfix delivery agent
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: postfix
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: John Dennis
QA Contact:
URL: http://archives.neohapsis.com/archive...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-15 00:24 UTC by Bill Rugolsky, Jr.
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-01-12 22:28:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bill Rugolsky, Jr. 2003-10-15 00:24:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031009

Description of problem:
When postfix invokes an external delivery agent, it doesn't call initgroups() to
initialize the supplemental groups.  When using procmail, this can lead readily
lead to permission errors.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Switch to Postfix mta (as root)
   su -c 'echo "mailbox_command = /usr/bin/procmail" >> /etc/postfix/main.cf'
   redhat-switchmail # choose postfix
   
2. Put yourself in a supplementary group
   su -c "usermod -G wheel $LOGNAME" # add yourself to wheel
3. Set up a procmailrc to examine mda credentials
   cat > ~/.procmailrc <<'EOI'
:0 c
| id -a >> $HOME/id.log
EOI
3. Send yourself some empty mail
   mail -s test $LOGNAME </dev/null
4. Examine the contents of id.log
   cat ~/id.log 

Actual Results:  uid=500(rugolsky) gid=501(rugolsky) groups=501(rugolsky)


Expected Results:  uid=500(rugolsky) gid=501(rugolsky)
groups=501(rugolsky),10(wheel)

Additional info:

A workaround is to use an MDA command that invokes initgroups() first,  e.g.,
"sudo -u $LOGNAME /usr/bin/procmail", assuming sudo is set up correctly.

Comment 1 Chris Ricker 2003-12-11 23:33:29 UTC
This should probably be taken up by reminding Wietse upstream, rather
than with Red Hat....



Comment 2 John Dennis 2004-01-12 22:28:08 UTC
I agree with Chris, this is an upstream issue.


Note You need to log in before you can comment on or make changes to this bug.