diff options
author | Jason Unovitch <junovitch@FreeBSD.org> | 2016-05-01 01:13:06 +0000 |
---|---|---|
committer | Jason Unovitch <junovitch@FreeBSD.org> | 2016-05-01 01:13:06 +0000 |
commit | 2e4733463a4bc714bc94da00e4e9da9f56fdd703 (patch) | |
tree | 3afde4310eacf906074e9fc3c2684964c5c5aa75 /mail/dspam/files | |
parent | - Update to 0.36.1 (diff) |
mail/dspam: implement privilege separation (resolves bug running with suexec)
- Runs as dspam:dspam instead of root:mail. The dspam UID/GID were created
in r168311 when the UIDs/GIDs files were added but the port had always
used root:mail. This had prevented running the dspam webUI under Apache
with suexec due to a minimal requirement of UID/GID of 100. The original
unsecure behavior is available with the SETUID option.
- Default run directory is now /var/run/dspam. This follows the default
upstream behavior and removes the patch to dspam.c as a result. Use
RUN_DIR and correct the dspam.conf.sample file accordingly.
- Default daemon/client communication port is now 2424.
- Regen patches while here (portlint)
UPDATING: Document privilege separated dspam
PR: 115957
Reported by: tedm@ipinc.net, support@ipinc.net
Submitted by: Danny Warren <danny@dannywarren.com> (maintainer)
Notes
Notes:
svn path=/head/; revision=414374
Diffstat (limited to 'mail/dspam/files')
-rw-r--r-- | mail/dspam/files/UPDATING | 13 | ||||
-rw-r--r-- | mail/dspam/files/dspam.in | 4 | ||||
-rw-r--r-- | mail/dspam/files/patch-src__Makefile.in | 6 | ||||
-rw-r--r-- | mail/dspam/files/patch-src__client.c | 22 | ||||
-rw-r--r-- | mail/dspam/files/patch-src__daemon.c | 22 | ||||
-rw-r--r-- | mail/dspam/files/patch-src__dspam.c | 11 | ||||
-rw-r--r-- | mail/dspam/files/patch-src__dspam.conf.in | 35 |
7 files changed, 89 insertions, 24 deletions
diff --git a/mail/dspam/files/UPDATING b/mail/dspam/files/UPDATING index 04ed4d35dddb..2baf17d716d4 100644 --- a/mail/dspam/files/UPDATING +++ b/mail/dspam/files/UPDATING @@ -17,6 +17,19 @@ in the port directory: make extract; more `find . -type f -maxdepth 2 -name UPGRADING` ########################################################################### +# dspam-3.10.2_2 +# + +Port Changes: +- Runs as dspam:dspam instead of root:mail [1] +- Default run directory is now /var/run/dspam [1] +- Default daemon/client communication port is now 2424 [1] +- New SETUID option to enable old insecure behavior [1] + +[1] Questionable ownership and security on mail/dspam (PR #115957) + + +########################################################################### # dspam-3.10.2 # diff --git a/mail/dspam/files/dspam.in b/mail/dspam/files/dspam.in index bab6ec7dc541..9c17ae47eb19 100644 --- a/mail/dspam/files/dspam.in +++ b/mail/dspam/files/dspam.in @@ -25,7 +25,9 @@ load_rc_config $name #defaults : ${dspam_enable="NO"} : ${dspam_debug="NO"} -: ${dspam_pidfile:-/var/run/dspam.pid} +: ${dspam_pidfile:-/var/run/dspam/dspam.pid} +: ${dspam_user="%%DSPAM_OWNER%%"} +: ${dspam_group="%%DSPAM_GROUP%%"} command=%%PREFIX%%/bin/${name} diff --git a/mail/dspam/files/patch-src__Makefile.in b/mail/dspam/files/patch-src__Makefile.in index d4c6c5894e95..42e057050c4e 100644 --- a/mail/dspam/files/patch-src__Makefile.in +++ b/mail/dspam/files/patch-src__Makefile.in @@ -1,6 +1,6 @@ ---- src/Makefile.in.orig 2014-05-14 17:35:13.000000000 -0300 -+++ src/Makefile.in 2014-05-14 17:35:48.000000000 -0300 -@@ -1117,11 +1117,11 @@ +--- src/Makefile.in.orig 2012-04-23 17:53:45 UTC ++++ src/Makefile.in +@@ -1249,11 +1249,11 @@ install-exec-hook: mkdir -p $(DESTDIR)$(sysconfdir); \ chmod 755 $(DESTDIR)$(sysconfdir); \ fi diff --git a/mail/dspam/files/patch-src__client.c b/mail/dspam/files/patch-src__client.c new file mode 100644 index 000000000000..e960ce553c41 --- /dev/null +++ b/mail/dspam/files/patch-src__client.c @@ -0,0 +1,22 @@ +--- src/client.c.orig 2012-04-11 18:48:33 UTC ++++ src/client.c +@@ -304,7 +304,7 @@ int client_connect(AGENT_CTX *ATX, int f + struct sockaddr_un saun; + int sockfd; + int yes = 1; +- int port = 24; ++ int port = 2424; + int domain = 0; + int addr_len; + char *host; +--- src/client.c.orig 2012-04-11 18:48:33 UTC ++++ src/client.c +@@ -304,7 +304,7 @@ int client_connect(AGENT_CTX *ATX, int f + struct sockaddr_un saun; + int sockfd; + int yes = 1; +- int port = 24; ++ int port = 2424; + int domain = 0; + int addr_len; + char *host; diff --git a/mail/dspam/files/patch-src__daemon.c b/mail/dspam/files/patch-src__daemon.c new file mode 100644 index 000000000000..3fee692297c2 --- /dev/null +++ b/mail/dspam/files/patch-src__daemon.c @@ -0,0 +1,22 @@ +--- src/daemon.c.orig 2012-04-11 18:48:33 UTC ++++ src/daemon.c +@@ -97,7 +97,7 @@ int daemon_listen(DRIVER_CTX *DTX) { + int domain = 0; /* listening on domain socket? */ + int listener; /* listener fd */ + int i; +- int port = 24, queue = 32; /* default port and queue size */ ++ int port = 2424, queue = 32; /* default port and queue size */ + + signal(SIGPIPE, SIG_IGN); + signal(SIGINT, process_signal); +--- src/daemon.c.orig 2012-04-11 18:48:33 UTC ++++ src/daemon.c +@@ -97,7 +97,7 @@ int daemon_listen(DRIVER_CTX *DTX) { + int domain = 0; /* listening on domain socket? */ + int listener; /* listener fd */ + int i; +- int port = 24, queue = 32; /* default port and queue size */ ++ int port = 2424, queue = 32; /* default port and queue size */ + + signal(SIGPIPE, SIG_IGN); + signal(SIGINT, process_signal); diff --git a/mail/dspam/files/patch-src__dspam.c b/mail/dspam/files/patch-src__dspam.c deleted file mode 100644 index 9234ef2a52cb..000000000000 --- a/mail/dspam/files/patch-src__dspam.c +++ /dev/null @@ -1,11 +0,0 @@ ---- src/dspam.c.orig 2012-04-11 11:48:33.000000000 -0700 -+++ src/dspam.c 2014-09-23 19:43:09.688194417 -0700 -@@ -4194,7 +4194,7 @@ - - pidfile = _ds_read_attribute(agent_config, "ServerPID"); - if ( pidfile == NULL ) -- pidfile = "/var/run/dspam/dspam.pid"; -+ pidfile = "/var/run/dspam.pid"; - - if (pidfile) { - FILE *file; diff --git a/mail/dspam/files/patch-src__dspam.conf.in b/mail/dspam/files/patch-src__dspam.conf.in index b3c48fb130bd..cc9897cff25c 100644 --- a/mail/dspam/files/patch-src__dspam.conf.in +++ b/mail/dspam/files/patch-src__dspam.conf.in @@ -1,6 +1,6 @@ ---- src/dspam.conf.in.orig 2014-09-18 00:33:02.874722063 -0700 -+++ src/dspam.conf.in 2014-09-18 00:41:49.434685786 -0700 -@@ -56,6 +56,7 @@ +--- src/dspam.conf.in.orig 2012-04-11 18:48:33 UTC ++++ src/dspam.conf.in +@@ -56,6 +56,7 @@ TrustedDeliveryAgent "@delivery_agent@" # necessary if you plan on allowing untrusted processing. # #UntrustedDeliveryAgent "/usr/bin/procmail -d %u" @@ -8,7 +8,7 @@ # # SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP -@@ -350,7 +351,7 @@ +@@ -350,7 +351,7 @@ AllowOverride notifications # Storage driver settings: Specific to a particular storage driver. Uncomment # the configuration specific to your installation, if applicable. # @@ -17,7 +17,7 @@ #MySQLPort #MySQLUser dspam #MySQLPass changeme -@@ -361,7 +362,7 @@ +@@ -361,7 +362,7 @@ AllowOverride notifications # If you are using replication for clustering, you can also specify a separate # server to perform all writes to. # @@ -26,7 +26,7 @@ #MySQLWritePort #MySQLWriteUser dspam #MySQLWritePass changeme -@@ -406,7 +407,7 @@ +@@ -406,7 +407,7 @@ AllowOverride notifications # in /var/run/postgresql/.s.PGSQL.5432 specify just the path where the socket # resits (without .s.PGSQL.5432). @@ -35,12 +35,24 @@ #PgSQLPort #PgSQLUser dspam #PgSQLPass changeme -@@ -845,14 +846,14 @@ +@@ -807,9 +808,9 @@ Opt out + # interfaces. + # + #ServerHost 127.0.0.1 +-#ServerPort 24 ++#ServerPort 2424 + #ServerQueueSize 32 +-#ServerPID /var/run/dspam.pid ++#ServerPID /var/run/dspam/dspam.pid + + # + # ServerMode specifies the type of LMTP server to start. This can be one of: +@@ -845,18 +846,18 @@ Opt out # you are running the client and server on the same machine, as it eliminates # much of the bandwidth overhead. # -#ServerDomainSocketPath "/tmp/dspam.sock" -+#ServerDomainSocketPath "/var/run/dspam.sock" ++#ServerDomainSocketPath "/var/run/dspam/dspam.sock" # # Client Mode: If you are running DSPAM in client/server mode, uncomment and @@ -48,7 +60,12 @@ # a domain socket. # -#ClientHost /tmp/dspam.sock -+#ClientHost /var/run/dspam.sock ++#ClientHost /var/run/dspam/dspam.sock #ClientIdent "secret@Relay1" # #ClientHost 127.0.0.1 +-#ClientPort 24 ++#ClientPort 2424 + #ClientIdent "secret@Relay1" + + # --- RABL --- |