postfix: add setgid wrapper for postqueue/postdrop

Both postqueue[1] and postdrop[2] implement a subset of administration task that are supposed to be run unprivileged users and require the setgid bit to full-fill this task. [1] http://www.postfix.org/postqueue.1.html [2] http://www.postfix.org/postdrop.1.html
6 years ago · 91ddc9d27f
parent b7d3974678
commit 91ddc9d27f
1 changed files with 17 additions and 1 deletions
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -602,7 +602,7 @@ in
            target = "postfix";
          };

-        # This makes comfortable for root to run 'postqueue' for example.
+        # This makes it comfortable to run 'postqueue/postdrop' for example.
        systemPackages = [ pkgs.postfix ];
      };

@ -616,6 +616,22 @@ in
        setgid = true;
      };

+      security.wrappers.postqueue = {
+        program = "postqueue";
+        source = "${pkgs.postfix}/bin/postqueue";
+        group = setgidGroup;
+        setuid = false;
+        setgid = true;
+      };
+
+      security.wrappers.postdrop = {
+        program = "postdrop";
+        source = "${pkgs.postfix}/bin/postdrop";
+        group = setgidGroup;
+        setuid = false;
+        setgid = true;
+      };
+
      users.users = optional (user == "postfix")
        { name = "postfix";
          description = "Postfix mail server user";