Ubuntu
postfix package

postfix check warns about symlink being group writable

Bug #1728723 reported by Simon Déziel
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
postfix (Debian)
Fix Released
Unknown
postfix (Ubuntu)
Fix Released
Low
Unassigned
Xenial
Won't Fix
Low
Unassigned

Bug Description

On Xenial, "postfix check" complains like that:

postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-tls.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-util.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./sbin/lmtp
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-master.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-global.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-dns.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/sbin/./lmtp

Those are symlinks:

root@smtp01:~# ls -l /usr/lib/postfix/./libpostfix-tls.so.1
lrwxrwxrwx 1 root root 23 Aug 8 15:23 /usr/lib/postfix/./libpostfix-tls.so.1 -> libpostfix-tls.so.1.0.1

Yet the real .so has no permission issue:

# ls -l /usr/lib/postfix/./libpostfix-tls.so.1.0.1
-rw-r--r-- 1 root root 103344 Aug 8 15:23 /usr/lib/postfix/./libpostfix-tls.so.1.0.1

This problem doesn't happen on Trusty.

Additional information:

# lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
# apt-cache policy postfix
postfix:
  Installed: 3.1.0-3ubuntu0.1
  Candidate: 3.1.0-3ubuntu0.1
  Version table:
 *** 3.1.0-3ubuntu0.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.1.0-3 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

Tags: bitesize
Revision history for this message
Simon Déziel (sdeziel) wrote :

Looking into git, this problem seem to have been introduced with the 3.0.0 release:

$ git remote -v
origin https://git.launchpad.net/postfix (fetch)
origin https://git.launchpad.net/postfix (push)

$ git show 5afd7bb2 -- conf/postfix-script | sed -n '59,81 p'
+ todo="$config_directory/."
+ test -n "$check_shared_files" && {
+ todo="$daemon_directory/. $meta_directory/. $todo"
+ test "$shlib_directory" = "no" ||
+ todo="$shlib_directory/. $todo"
+ }
+ todo=`echo "$todo" | tr ' ' '\12' | sort -u`

  find $todo ! -user root \
- -exec $WARN not owned by root: {} \;
+ -exec $WARN not owned by root: {} \;

- todo="$config_directory/."
- test -n "$check_shared_files" && todo="$daemon_directory/. $todo"
+ find $todo \( -perm -020 -o -perm -002 \) \
+ -exec $WARN group or other writable: {} \;

- find $todo \
- \( -perm -020 -o -perm -002 \) -type f \
- -exec $WARN group or other writable: {} \;
+ # Check Postfix mail_owner-owned directory tree owner/permissions.

  find $data_directory/. ! -user $mail_owner \

In the above, the "-type f" argument of the last find was dropped causing the issue.

Bug Watch Updater (bug-watch-updater)
Changed in postfix (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in postfix (Debian):
status: New → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was fixed in 3.1.4-2 which was synced into ubuntu for zesty and later.

Xenial does indeed show this behavior, but I don't think it's worth an SRU to fix it. The exit code is still 0, and it's just a warning.

Maybe if there was another bug worth of an SRU, this fix could piggy back on it.

FWIW, the fix is in debian/patches/70_postfix-check.diff:
--- a/conf/postfix-script
+++ b/conf/postfix-script
@@ -302,9 +302,14 @@
  find $todo ! -user root \
      -exec $WARN not owned by root: {} \;

- find $todo \( -perm -020 -o -perm -002 \) \
+ # Handle symlinks separately
+ find -L $todo \( -perm -020 -o -perm -002 \) \
      -exec $WARN group or other writable: {} \;

+ find $todo -type l | while read f; do \
+ readlink "$f" | grep -q / && $WARN symlink leaves directory: "$f"; \
+ done; \
+
  # Check Postfix mail_owner-owned directory tree owner/permissions.

  find $data_directory/. ! -user $mail_owner \

Changed in postfix (Ubuntu):
importance: Undecided → Low
status: New → Triaged
tags: added: bitesize
Bryce Harrington (bryce)
Changed in postfix (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in postfix (Ubuntu Xenial):
status: New → Confirmed
Scott Kitterman (kitterman)
Changed in postfix (Ubuntu Xenial):
importance: Undecided → Low
Bryce Harrington (bryce)
Changed in postfix (Ubuntu Xenial):
status: Confirmed → Triaged
Alex Monroy (amonroyx)
Changed in postfix (Ubuntu):
assignee: nobody → Alex Monroy (amonroyx)
assignee: Alex Monroy (amonroyx) → nobody
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I am setting the xenial bug to wontfix because xenial is no longer under its standard support period.

Changed in postfix (Ubuntu Xenial):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.