mailcow-dockerized icon indicating copy to clipboard operation
mailcow-dockerized copied to clipboard

Published 20 hours ago verified publisher icon mailcow

Wrong owner of some rspamd config files

Open rkfg opened this issue 1 year ago • 2 comments

Contribution guidelines

I've found a bug and checked that ...

  • [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

In https://github.com/mailcow/mailcow-dockerized/blob/36b5cccd186090d726de62b6b00d1e842e67aacd/data/Dockerfiles/rspamd/docker-entrypoint.sh#L116 the owner of custom rspamd configs is set to 82:82. However, this causes these files to be read-only in the UI: 2024-05-01_19-46-01 If I chown them to 101:101 (the user that rspamd runs as) the files become available for editing and save normally. However, since this 82:82 chown is in the entrypoint script, restarting rspamd causes the files to become read only again. I'm not sure if it's some design decision I don't understand or a bug but it's pretty inconvenient because it becomes impossible to change the white/blacklists from the UI without changing the access rights via ssh first. The behavior is exactly the same on two separate instances I maintain (work and personal servers).

Logs:

Unrelated

Steps to reproduce:

1. Open /rspamd/#configuration
2. Many config files are read-only
3. Go to mailcow root dir
4. Do chown 101:101 data/conf/rspamd/custom/*
5. Refresh the rspamd tab
6. Files now can be changed

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12.5

Server/VM specifications:

VDS, 8 GB RAM, 4 CPUs

Is Apparmor, SELinux or similar active?

Apparmor is active

Virtualization technology:

KVM

Docker version:

20.10.24+dfsg1

docker-compose version or docker compose version:

v2.26.1

mailcow version:

2024-04

Reverse proxy:

Caddy

Logs of git diff:

diff --git a/data/conf/unbound/unbound.conf b/data/conf/unbound/unbound.conf
index 27110c04..90c16ee0 100644
--- a/data/conf/unbound/unbound.conf
+++ b/data/conf/unbound/unbound.conf
@@ -4,7 +4,7 @@ server:
   interface: ::0
   logfile: /dev/console
   do-ip4: yes
-  do-ip6: yes
+  do-ip6: no
   do-udp: yes
   do-tcp: yes
   do-daemonize: no

Logs of iptables -L -vn:

Unrelated

Logs of ip6tables -L -vn:

Unrelated

Logs of iptables -L -vn -t nat:

Unrelated

Logs of ip6tables -L -vn -t nat:

Unrelated

DNS check:

188.114.99.224
188.114.98.224

rkfg avatar May 01 '24 16:05 rkfg

You are able to change such files via mailcow interface, but when you change the owner you won't able to do that anymore I guess

MAGICCC avatar May 05 '24 09:05 MAGICCC

But I can't edit them in the rspamd UI. I think it'd be better to set ACL for rspamd as well so that both users can edit them. Or run rspamd as the same user. Or set the owner/mod only for the files that can be changed in mailcow UI, not all of them.

rkfg avatar May 05 '24 11:05 rkfg

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

milkmaker avatar Jul 05 '24 00:07 milkmaker