From 16d3fc8365f217091d5e1adfff7263d5c666c6d3 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Thu, 7 Sep 2023 21:31:20 +0200
Subject: [PATCH] services: postfix: Extend setuid-program-service-type.

* gnu/services/mail.scm (postfix-service-type): Set gid of postfix
executables.
---
 gnu/services/mail.scm | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 93987ebd69..0e6103c8d1 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -94,6 +94,7 @@ (define-module (gnu services mail)
             postfix-configuration-data-directory
             postfix-configuration-user
             postfix-configuration-group
+            postfix-configuration-setgid-commands?
 
             postfix-service-type))
 
@@ -2025,6 +2026,7 @@ (define-record-type* <postfix-configuration>
                   (default "/var/lib/postfix"))
   (meta-directory postfix-configuration-meta-directory
                   (default #f))
+  (setgid-commands? postfix-configuration-setgid-commands? (default #t))
   (user postfix-configuration-user
         (default "postfix"))
   (group postfix-configuration-group
@@ -2135,12 +2137,41 @@ (define (postfix-shepherd-service config)
         (start (postfix-action "start"))
         (stop (postfix-action "stop")))))))
 
+(define (postfix-set-gids config)
+  (match-record config <postfix-configuration>
+    (postfix setgid-commands? group)
+    (if setgid-commands?
+        (list
+         (setuid-program
+          (program (file-append postfix "/bin/mailq"))
+          (setuid? #false)
+          (setgid? #true)
+          (group group))
+         (setuid-program
+          (program (file-append postfix "/bin/sendmail"))
+          (setuid? #false)
+          (setgid? #true)
+          (group group))
+         (setuid-program
+          (program (file-append postfix "/sbin/postqueue"))
+          (setuid? #false)
+          (setgid? #true)
+          (group group))
+         (setuid-program
+          (program (file-append postfix "/sbin/postdrop"))
+          (setuid? #false)
+          (setgid? #true)
+          (group group)))
+        '())))
+
 (define postfix-service-type
   (service-type
    (name 'postfix)
-   (extensions (list (service-extension account-service-type postfix-accounts)
-                     (service-extension activation-service-type postfix-activation)
-                     (service-extension shepherd-root-service-type postfix-shepherd-service)
-                     (service-extension mail-aliases-service-type (const '()))))
+   (extensions
+    (list (service-extension account-service-type postfix-accounts)
+          (service-extension activation-service-type postfix-activation)
+          (service-extension shepherd-root-service-type postfix-shepherd-service)
+          (service-extension mail-aliases-service-type (const '()))
+          (service-extension setuid-program-service-type postfix-set-gids)))
    (description "Run the Postfix MTA.")
    (default-value (postfix-configuration))))