services: opensmtpd: Make commands setgid to "smtpq" by default.

This is a patch that fixes "<executable name>: this program must be setgid smtpq". * gnu/services/mail.scm (<opensmtpd-configuration>)[setgid-commands?]: New field. (opensmtpd-set-gids): New procedure. (opensmtpd-service-type)[extensions]: Add SETUID-PROGRAM-SERVICE-TYPE extension. * doc/guix.texi (Mail Services): Document it. Co-authored-by: Ludovic Courtès <ludo@gnu.org>
2022-07-25 09:02:18 +00:00 · 2022-07-25 09:02:18 +00:00 · dd3cf14402
commit dd3cf14402
parent 432ea6446d
2 changed files with 48 additions and 2 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -25149,6 +25149,11 @@ it listens on the loopback network interface, and allows for mail from
 users and daemons on the local machine, as well as permitting email to
 remote servers.  Run @command{man smtpd.conf} for more information.

+@item @code{setgid-commands?} (default: @code{#t})
+Make the following commands setgid to @code{smtpq} so they can be
+executed: @command{smtpctl}, @command{sendmail}, @command{send-mail},
+@command{makemap}, @command{mailq}, and @command{newaliases}.
+@xref{Setuid Programs}, for more information on setgid programs.
@end table
@end deftp

--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@ -30,6 +30,7 @@
  #:use-module (gnu services shepherd)
  #:use-module (gnu system pam)
  #:use-module (gnu system shadow)
+  #:use-module (gnu system setuid)
  #:use-module (gnu packages mail)
  #:use-module (gnu packages admin)
  #:use-module (gnu packages dav)
@ -1653,7 +1654,8 @@ by @code{dovecot-configuration}.  @var{config} may also be created by
  (package     opensmtpd-configuration-package
               (default opensmtpd))
  (config-file opensmtpd-configuration-config-file
-               (default %default-opensmtpd-config-file)))
+               (default %default-opensmtpd-config-file))
+  (setgid-commands? opensmtpd-setgid-commands? (default #t)))

 (define %default-opensmtpd-config-file
  (plain-file "smtpd.conf" "
@ -1714,6 +1716,43 @@ match from local for any action outbound
 (define %opensmtpd-pam-services
  (list (unix-pam-service "smtpd")))

+(define opensmtpd-set-gids
+  (match-lambda
+    (($ <opensmtpd-configuration> package config-file set-gids?)
+     (if set-gids?
+         (list
+          (setuid-program
+           (program (file-append package "/sbin/smtpctl"))
+           (setuid? #false)
+           (setgid? #true)
+           (group "smtpq"))
+          (setuid-program
+           (program (file-append package "/sbin/sendmail"))
+           (setuid? #false)
+           (setgid? #true)
+           (group "smtpq"))
+          (setuid-program
+           (program (file-append package "/sbin/send-mail"))
+           (setuid? #false)
+           (setgid? #true)
+           (group "smtpq"))
+          (setuid-program
+           (program (file-append package "/sbin/makemap"))
+           (setuid? #false)
+           (setgid? #true)
+           (group "smtpq"))
+          (setuid-program
+           (program (file-append package "/sbin/mailq"))
+           (setuid? #false)
+           (setgid? #true)
+           (group "smtpq"))
+          (setuid-program
+           (program (file-append package "/sbin/newaliases"))
+           (setuid? #false)
+           (setgid? #true)
+           (group "smtpq")))
+         '()))))
+
 (define opensmtpd-service-type
  (service-type
   (name 'opensmtpd)
@ -1727,7 +1766,9 @@ match from local for any action outbound
          (service-extension profile-service-type
                             (compose list opensmtpd-configuration-package))
          (service-extension shepherd-root-service-type
-                             opensmtpd-shepherd-service)))
+                             opensmtpd-shepherd-service)
+          (service-extension setuid-program-service-type
+                             opensmtpd-set-gids)))
   (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
 Transfer Protocol} server.")))