From f0d47c51954819ddc5b2d496a7d98c75dccd1417 Mon Sep 17 00:00:00 2001 From: anti Date: Thu, 30 Apr 2026 12:25:37 -0400 Subject: [PATCH] fix(smtp): chmod quarantine dir before dropping to logrelay The bind-mounted quarantine dir is owned by the host decnet user; the logrelay process had no write access because the Dockerfile USER directive pre-applied before the entrypoint could fix permissions. Run entrypoint as root, chmod 0777 the quarantine dir, then exec the server under logrelay via su. --- decnet/templates/smtp/Dockerfile | 3 ++- decnet/templates/smtp/entrypoint.sh | 11 ++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/decnet/templates/smtp/Dockerfile b/decnet/templates/smtp/Dockerfile index 68d28efa..d8a695c0 100644 --- a/decnet/templates/smtp/Dockerfile +++ b/decnet/templates/smtp/Dockerfile @@ -20,5 +20,6 @@ RUN useradd -r -s /bin/false -d /opt logrelay \ HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ CMD kill -0 1 || exit 1 -USER logrelay +# Entrypoint runs as root so it can fix quarantine dir permissions before +# dropping to logrelay via su. ENTRYPOINT ["/entrypoint.sh"] diff --git a/decnet/templates/smtp/entrypoint.sh b/decnet/templates/smtp/entrypoint.sh index c830b733..528bdacf 100644 --- a/decnet/templates/smtp/entrypoint.sh +++ b/decnet/templates/smtp/entrypoint.sh @@ -1,3 +1,12 @@ #!/bin/bash set -e -exec python3 /opt/server.py + +# Fix quarantine dir permissions before dropping privileges — the dir is +# bind-mounted from the host (owned by the decnet user) and must be writable +# by the logrelay process inside the container. +if [ -n "$SMTP_QUARANTINE_DIR" ]; then + mkdir -p "$SMTP_QUARANTINE_DIR" + chmod 0777 "$SMTP_QUARANTINE_DIR" +fi + +exec su -s /bin/sh logrelay -c "exec python3 /opt/server.py"