services: opensmtpd: Make commands setgid to "smtpq" by default.

This is a patch that fixes "<executable name>: this program must be setgid smtpq".

* gnu/services/mail.scm (<opensmtpd-configuration>)[setgid-commands?]: New field.
(opensmtpd-set-gids): New procedure.
(opensmtpd-service-type)[extensions]: Add SETUID-PROGRAM-SERVICE-TYPE extension.
* doc/guix.texi (Mail Services): Document it.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Maya 2022-07-25 09:02:18 +00:00 committed by Ludovic Courtès
parent 432ea6446d
commit dd3cf14402
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 48 additions and 2 deletions

View file

@ -25149,6 +25149,11 @@ it listens on the loopback network interface, and allows for mail from
users and daemons on the local machine, as well as permitting email to users and daemons on the local machine, as well as permitting email to
remote servers. Run @command{man smtpd.conf} for more information. remote servers. Run @command{man smtpd.conf} for more information.
@item @code{setgid-commands?} (default: @code{#t})
Make the following commands setgid to @code{smtpq} so they can be
executed: @command{smtpctl}, @command{sendmail}, @command{send-mail},
@command{makemap}, @command{mailq}, and @command{newaliases}.
@xref{Setuid Programs}, for more information on setgid programs.
@end table @end table
@end deftp @end deftp

View file

@ -30,6 +30,7 @@ (define-module (gnu services mail)
#:use-module (gnu services shepherd) #:use-module (gnu services shepherd)
#:use-module (gnu system pam) #:use-module (gnu system pam)
#:use-module (gnu system shadow) #:use-module (gnu system shadow)
#:use-module (gnu system setuid)
#:use-module (gnu packages mail) #:use-module (gnu packages mail)
#:use-module (gnu packages admin) #:use-module (gnu packages admin)
#:use-module (gnu packages dav) #:use-module (gnu packages dav)
@ -1653,7 +1654,8 @@ (define-record-type* <opensmtpd-configuration>
(package opensmtpd-configuration-package (package opensmtpd-configuration-package
(default opensmtpd)) (default opensmtpd))
(config-file opensmtpd-configuration-config-file (config-file opensmtpd-configuration-config-file
(default %default-opensmtpd-config-file))) (default %default-opensmtpd-config-file))
(setgid-commands? opensmtpd-setgid-commands? (default #t)))
(define %default-opensmtpd-config-file (define %default-opensmtpd-config-file
(plain-file "smtpd.conf" " (plain-file "smtpd.conf" "
@ -1714,6 +1716,43 @@ (define opensmtpd-activation
(define %opensmtpd-pam-services (define %opensmtpd-pam-services
(list (unix-pam-service "smtpd"))) (list (unix-pam-service "smtpd")))
(define opensmtpd-set-gids
(match-lambda
(($ <opensmtpd-configuration> package config-file set-gids?)
(if set-gids?
(list
(setuid-program
(program (file-append package "/sbin/smtpctl"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append package "/sbin/sendmail"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append package "/sbin/send-mail"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append package "/sbin/makemap"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append package "/sbin/mailq"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append package "/sbin/newaliases"))
(setuid? #false)
(setgid? #true)
(group "smtpq")))
'()))))
(define opensmtpd-service-type (define opensmtpd-service-type
(service-type (service-type
(name 'opensmtpd) (name 'opensmtpd)
@ -1727,7 +1766,9 @@ (define opensmtpd-service-type
(service-extension profile-service-type (service-extension profile-service-type
(compose list opensmtpd-configuration-package)) (compose list opensmtpd-configuration-package))
(service-extension shepherd-root-service-type (service-extension shepherd-root-service-type
opensmtpd-shepherd-service))) opensmtpd-shepherd-service)
(service-extension setuid-program-service-type
opensmtpd-set-gids)))
(description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
Transfer Protocol} server."))) Transfer Protocol} server.")))