fix: DMS state volume must ensure o+x permission#4420
Merged
georglauterbach merged 4 commits intomasterfrom Mar 18, 2025
Merged
fix: DMS state volume must ensure o+x permission#4420georglauterbach merged 4 commits intomasterfrom
o+x permission#4420georglauterbach merged 4 commits intomasterfrom
Conversation
polarathene
commented
Mar 18, 2025
| # Parent directories must have executable bit set to descend the file tree for access, | ||
| # as each service running as a non-root user requires this to access their state directory, | ||
| # `/var/mail-state` must allow all users `+x`: | ||
| chmod o+x "${DMS_STATE_DIR}" |
Member
Author
There was a problem hiding this comment.
Wondering if this should be ugo+x?
Suggested change
| chmod o+x "${DMS_STATE_DIR}" | |
| chmod ugo+x "${DMS_STATE_DIR}" |
There was a problem hiding this comment.
So ugo+x is just like chmod +x and I think should fine because the permissions inside /var/mail-state is still open than this
drwxr-x--x 8 amavis amavis 4096 Mar 18 04:36 lib-amavis
drwxr-xr-x 2 docker docker 4096 Mar 18 04:56 lib-dovecot
drwxr-xr-x 2 root root 4096 Dec 14 2022 lib-logrotate
drwxr-xr-x 2 postfix postfix 4096 Mar 17 22:09 lib-postfix
drwxr-xr-x 20 docker docker 4096 Mar 17 22:00 qa.auto1.team
drwxr-xr-x 16 root root 4096 Mar 18 04:56 spool-postfix
Member
There was a problem hiding this comment.
I too think +x should be fine as it's the same as ugo+x.
Member
Author
There was a problem hiding this comment.
as it's the same as
ugo+x
TIL chmod +w example (only u) and chmod +x example (ugo) behave differently 👀
Suggested change
| chmod o+x "${DMS_STATE_DIR}" | |
| chmod +x "${DMS_STATE_DIR}" |
Member
There was a problem hiding this comment.
TIL chmod +w example (only u) and chmod +x example (ugo) behave differently 👀
I didn't know that either 🤯
casperklein
approved these changes
Mar 18, 2025
georglauterbach
approved these changes
Mar 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
While we expect the volume to have
755as the default for/var/mail-state, some storage services will differ with their default permissions.Service users that need to access their state directory cannot do so when a parent directory has
rootownership only and lacks the executable bit for theotherpermission set. This is the source of numerous bug reports in the past that was non-obvious to me for how to resolve due to the errors logged 😓 (big thanks to @rixwan-sharif for identifying the correct fix)More details: #4419 (comment)
Fixes #4419
Type of change
Checklist
CHANGELOG.md