Submitted by RedKnot on Wed, 05/12/2010 - 10:22
I think this started since the last virtualmin update. By default our home directories are only readable by user and group (drwxr-x---) so users can't peek in each others home dirs.
Status:
Active
Comments
Submitted by JamieCameron on Wed, 05/12/2010 - 12:57 Comment #1
Normally Virtualmin avoids this permissions issue by creating the directory /home/virtualmin or /var/virtualmin-autoreply , and hard linking from that directory to the files in users' homes.
Are those directories perhaps on different filesystems on your system?
Submitted by RedKnot on Wed, 06/02/2010 - 05:02 Comment #2
The dir /home/virtualmin-autoreply which contains
124626731310415-replies-user@example.com.dir & 124626731310415-replies-user@example.com.pag
files for autoreplies. In the homedir of the domain are
autoreply-user@example.com.txt
files.
ls -l /home/youngguns.nl/reply-rw-r--r-- 1 youngguns.nl youngguns.nl 127 Jun 2 11:49 /home/youngguns.nl/autoreply-ar@youngguns.nl.txt -rw-r--r-- 1 youngguns.nl youngguns.nl 2598 Dec 1 2009 /home/youngguns.nl/autoreply-ftptest@youngguns.nl.txt -rw-r--r-- 1 youngguns.nl youngguns.nl 403 Jan 12 11:57 /home/youngguns.nl/autoreply-rob@youngguns.nl.txt -rw-r--r-- 1 youngguns.nl youngguns.nl 373 May 19 13:57 /home/youngguns.nl/autoreply-sjors@youngguns.nl.txt
ls -l /home/virtualmin-autoreply/youngguns-rwx------ 1 nobody nobody 4096 Jun 1 05:35 /home/virtualmin-autoreply/121382042816449-replies-rob@youngguns.nl.dir -rwx------ 1 nobody nobody 16384 Jun 2 09:09 /home/virtualmin-autoreply/121382042816449-replies-rob@youngguns.nl.pag -rwx------ 1 nobody nobody 4096 May 16 17:30 /home/virtualmin-autoreply/121382042816449-replies-sjors@youngguns.nl.dir -rwx------ 1 nobody nobody 16384 May 19 13:54 /home/virtualmin-autoreply/121382042816449-replies-sjors@youngguns.nl.pag
I'm not sure why and when the .dir and .pag files are created, those this have something to to with the auotreply options (only reply between ... and only reply once per ...)
I saw to files in the /home/virtualmin-autoreply dir which where owned by mailman:mailman but I don't know why this happens. I'm not able to reproduce this.
Postfix show a successful delivery:
Jun 2 11:50:24 stevie.youngguns.nl postfix/local[22865]: [ID 197553 mail.info] 3E16034DCF: to=ar-youngguns.nl@stevie.youngguns.nl, orig_to=ar@youngguns.nl, relay=local, delay=2.3, delays=0.05/0/0/2.2, dsn=2.0.0, status=sent (delivered to command: /etc/webmin/virtual-server/autoreply.pl /home/youngguns.nl/autoreply-ar@youngguns.nl.txt ar@youngguns.nl )
I assume autoreply.pl is running as root?
ls -ldv /home/youngguns.nl/drwxr-x---+ 11 youngguns.nl youngguns.nl 18 Jun 2 11:49 /home/youngguns.nl/ 0:user:nobody:list_directory/read_data/execute:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 6:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
ls -lv /home/youngguns.nl/autoreply-ar@youngguns.nl.txt-rw-r--r-- 1 youngguns.nl youngguns.nl 26 Jun 2 12:00 /home/youngguns.nl/autoreply-ar@youngguns.nl.txt 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
Text in 'bounce' mail when autoreply is enabled:
Failed to open autoreply file /home/youngguns.nl/autoreply-ar@youngguns.nl.txt : Permission denied
Submitted by JamieCameron on Wed, 06/02/2010 - 14:51 Comment #3
Are /home/virtualmin-autoreply and /home/youngguns.nl on different filesystems?
Submitted by RedKnot on Wed, 06/02/2010 - 15:22 Comment #4
They are automounted:
/home/virtualmin-autoreply on /export/home/virtualmin-autoreply read/write/setuid/devices/dev=2d50003 on Wed Jun 2 22:16:25 2010
/home/youngguns.nl on /export/home/youngguns.nl read/write/setuid/devices/dev=2d5009a on Tue Jun 1 16:23:26 2010
/export/home/youngguns.nl is a zfs filesystem (like all other homedirs)
tank/home/youngguns.nl 9.05G 975M 9.05G /export/home/youngguns.nl
/export/home/virtualmin-autoreply is just a dir in the root filesystem.
Submitted by JamieCameron on Thu, 06/03/2010 - 00:02 Comment #5
Ok, that explains it .. when they are auto-mounted, Virtualmin will not be able to create the hard link it needs to get around permissions issues from /home/virtualmin-autoreply.
Postfix reads autoreply files as the "nobody" user, so the only way it can read those files is if the domain's home directories are made world-readable (at least mode 751). However, you may want to avoid this for security reasons.
Submitted by JamieCameron on Thu, 06/03/2010 - 00:05 Comment #6
Ok, that explains it .. when they are auto-mounted, Virtualmin will not be able to create the hard link it needs to get around permissions issues from /home/virtualmin-autoreply.
Postfix reads autoreply files as the "nobody" user, so the only way it can read those files is if the domain's home directories are made world-readable (at least mode 751). However, you may want to avoid this for security reasons.