From b04b6c9397fffb52e5fa05f1c505807972e3441d Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Mon, 17 Feb 2025 15:26:23 +1300
Subject: [PATCH] fix: Ensure `/var/log/mail` permissions + ownership are
 correct

---
 target/scripts/startup/setup-stack.sh | 30 +++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
index 789dc0c7..9f9cbb19 100644
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@@ -82,6 +82,8 @@ function _setup_timezone() {
   fi
 }
 
+# Misc checks and fixes migrated here until next refactor:
+# NOTE: `start-mailserver.sh` runs this along with `mail-state.sh` during container restarts
 function _setup_directory_and_file_permissions() {
   _log 'trace' 'Removing leftover PID files from a stop/start'
   find /var/run/ -not -name 'supervisord.pid' -name '*.pid' -delete
@@ -101,6 +103,8 @@ function _setup_directory_and_file_permissions() {
     _log 'debug' "Ensuring '${RSPAMD_DMS_DKIM_D}' is owned by '_rspamd:_rspamd'"
     chown -R _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}"
   fi
+
+  __log_fixes
 }
 
 function _setup_run_user_patches() {
@@ -113,3 +117,29 @@ function _setup_run_user_patches() {
     _log 'trace' "No optional '${USER_PATCHES}' provided"
   fi
 }
+
+function __log_fixes() {
+  _log 'debug' 'Ensuring /var/log/mail owneership + permissions are correct'
+
+  # File/folder permissions are fine when using docker volumes, but may be wrong
+  # when file system folders are mounted into the container.
+  # Set the expected values and create missing folders/files just in case.
+  mkdir -p /var/log/{mail,supervisor}
+  
+  # TODO: Remove these lines in a future release once concerns are resolved:
+  # https://github.com/docker-mailserver/docker-mailserver/pull/4370#issuecomment-2661762043
+  chown syslog:root /var/log/mail
+  # TODO: Consider assigning /var/log/mail a writable non-root group for other processes like ClamAV?
+  # - Check if ClamAV is capable of creating files itself when they're missing?
+  # - Alternatively a symlink to /var/log/mail from the original intended location would allow write access
+  #   as a user to the symlink location, while keeping ownership as root at /var/log/mail
+  # - `LogSyslog false` for clamd.conf + freshclam.conf could possibly be enabled instead of log files?
+  #   However without better filtering in place (once Vector is adopted), this should be avoided.
+  touch /var/log/mail/{clamav,freshclam}.log
+  chown clamav:adm /var/log/mail/{clamav,freshclam}.log
+  
+  # Volume permissions should be corrected:
+  # https://github.com/docker-mailserver/docker-mailserver-helm/issues/137
+  chmod 755 /var/log/mail/
+  chmod 640 /var/log/mail/*
+}