DevHeads.net

Curious startup warning

postfix v3.2.0
linux v4.4.103-36-default x86_64

Whenever postfix (re-)starts, the message below is emitted.
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
group or other writable: /etc/postfix/./ssl/cacerts
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting the
Postfix mail system

Following the various paths yields the following directory listings:

$ ls -l .
drwxr-xr-x 1 root root 24 Nov 4 13:04 ssl/
$ ls -l ssl/
lrwxrwxrwx 1 root root 15 Nov 4 13:04 cacerts -> ../../ssl/certs/
drwxr-xr-x 1 root root 0 May 17 2017 certs/
$ ls -l /etc/
drwxr-xr-x 1 root root 146 Dec 15 02:29 ssl/
$ ls -l /etc/ssl/
lrwxrwxrwx 1 root root 28 Nov 4 12:49 certs ->
/var/lib/ca-certificates/pem/
$ ls -l /
drwxr-xr-x 1 root root 234 Nov 4 13:04 var/
$ ls -l /var/
drwxr-xr-x 1 root root 1090 Jan 9 10:40 lib/
$ ls -l /var/lib/
drwxr-xr-x 1 root root 70 Nov 13 03:05 ca-certificates/
$ ls -l /var/lib/ca-certificates/
dr-xr-xr-x 1 root root 17324 Nov 13 03:05 pem/

Any real directories are not group/other writable. Only the links have
the writable attributes.
Are the links what triggers the warning message?

Comments

Re: Curious startup warning

By Bill Cole at 01/12/2018 - 17:58

Maybe...

What are the permissions of the directory /etc/postfix/ssl/ ? Note that
if any directory above the symlink or the real directory is
group-writable (or less likely and worse: world-writable) then it is
conceivable that a non-root member of the group could engineer a
replacement for the target directory.

OTOH, it is possible that Postfix is seeing the 777 permissions of the
symlink itself and griping about that. You can solve that with 'chmod
go-w /etc/postfix/./ssl/cacerts'