Adjusted exim permissions

4f62cfef · Paul Cammish · f1c9104c · 4f62cfef · 4f62cfef
Commit 4f62cfef authored Jul 02, 2019 by Paul Cammish
--- a/core/sbin/sympl-filesystem-security
+++ b/core/sbin/sympl-filesystem-security
@@ -103,7 +103,7 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"

  if [ -d ${domain}/config ]; then

-    find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -name 'dkim.key' ! -name 'dkim' ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
+    find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;

    if [ -d "${domain}/config/ssl/sets" ]; then
      find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
@@ -111,12 +111,6 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"

    find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)

-    # The group doesn't exist if exim/sympl-mail is not installed.
-    if [ $( grep -c '^Debian-exim:' /etc/group ) == 1 ]; then
-      find "${domain}/config" -maxdepth 1 -type f \( -name 'dkim' -o -name 'dkim.key' \)  \( ! -group Debian-exim -o ! -user sympl \) -exec chown sympl:Debian-exim {} \;
-      find "${domain}/config" -maxdepth 1 -type f \( -name 'dkim' -o -name 'dkim.key' \) ! -perm 640 -exec chmod 640 {} \;
-    fi
-
  fi

  # Enforce permissions for mailboxes directory
@@ -124,7 +118,7 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"

    find "${domain}/mailboxes" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;

-    find "${domain}/mailboxes" \( -type f -a ! -perm 660 -exec chmod 600 {} \; \) -o \( -type d -a ! -perm 2700 -exec chmod 2700 {} \; \)
+    find "${domain}/mailboxes" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2770 -exec chmod 2770 {} \; \)

  fi


--- a/mail/debian/postinst
+++ b/mail/debian/postinst
@@ -42,6 +42,15 @@ if ! ( groups Debian-exim | grep -q ssl-cert ) ; then
  adduser Debian-exim ssl-cert > /dev/null 2>&1
 fi

+#
+# Debian-exim also needs to be part of the sympl group, so it can read the
+# files in <domain>/config/.
+#
+if ! ( groups Debian-exim | grep -q sympl ) ; then
+  echo "I: Adding Debian-exim user to sympl group"
+  adduser Debian-exim sympl > /dev/null 2>&1
+fi
+
 if ( grep -q '^AllowSupplementaryGroups \+false' /etc/clamav/clamd.conf ) ; then
  echo "I: Allowing clamav to operate using its supplementary groups"
  #