1 |
commit: c8fe3982751aa4881b42f89ed080b210c4529c81 |
2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Nov 17 15:09:21 2018 +0000 |
4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 18 23:23:57 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8fe3982 |
7 |
|
8 |
mail-filter/amavisd-new: new version 2.11.1. |
9 |
|
10 |
A mostly standard version bump (bug 668494) with some improvements and |
11 |
bug fixes piled on: |
12 |
|
13 |
* The sys-apps/file dependency is replaced by dev-perl/File-LibMagic |
14 |
to improve performance a bit (bug 592802). |
15 |
|
16 |
* New user creation has been moved to pkg_setup(). This allows us to |
17 |
set permissions and ownership properly in src_install(), so that |
18 |
we don't have to "fix" them later and cause big ol' security |
19 |
problems (bug 630836). |
20 |
|
21 |
* The OpenRC service script has been rewritten to use start-stop-daemon. |
22 |
This fixes outstanding bugs 507352, 634860, and 646336. |
23 |
|
24 |
* The systemd service dependencies have been updated (bug 581452). We |
25 |
never really needed spamassassin (spamd) at all, and we shouldn't fail |
26 |
to start if postfix/clamav are absent entirely. |
27 |
|
28 |
* As part of the previous item, removed two failing "sed" calls |
29 |
(that were missing die() statements!) intended to modify a service |
30 |
file that no longer lives where it used to. |
31 |
|
32 |
Thanks are due to, |
33 |
|
34 |
* Marcin Mirosław who reported an OpenRC issue, |
35 |
* Nick Wiltshire for reporting and testing the OpenRC fixes, |
36 |
* Robin Lutz for reporting the OpenRC restart issue, |
37 |
* Timo Rothenpieler for reporting the systemd dependency issue. |
38 |
|
39 |
Bug: https://bugs.gentoo.org/630836 |
40 |
Closes: https://bugs.gentoo.org/507352 |
41 |
Closes: https://bugs.gentoo.org/581452 |
42 |
Closes: https://bugs.gentoo.org/592802 |
43 |
Closes: https://bugs.gentoo.org/634860 |
44 |
Closes: https://bugs.gentoo.org/646336 |
45 |
Closes: https://bugs.gentoo.org/668494 |
46 |
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org> |
47 |
Package-Manager: Portage-2.3.51, Repoman-2.3.11 |
48 |
|
49 |
mail-filter/amavisd-new/Manifest | 1 + |
50 |
...-2.11.0-r4.ebuild => amavisd-new-2.11.1.ebuild} | 68 ++++++++++++---------- |
51 |
mail-filter/amavisd-new/files/amavisd.initd-r2 | 42 +++++++++++++ |
52 |
mail-filter/amavisd-new/files/amavisd.service-r1 | 21 +++++++ |
53 |
4 files changed, 101 insertions(+), 31 deletions(-) |
54 |
|
55 |
diff --git a/mail-filter/amavisd-new/Manifest b/mail-filter/amavisd-new/Manifest |
56 |
index 44fb609486f..7b3a4228338 100644 |
57 |
--- a/mail-filter/amavisd-new/Manifest |
58 |
+++ b/mail-filter/amavisd-new/Manifest |
59 |
@@ -1 +1,2 @@ |
60 |
+DIST amavis-amavisd-new-2.11.1.tar.gz 1093467 BLAKE2B 1e43ddea86ff269b02cbbcd125d913c51b66728b1063cde6ca3f3f24f1bd36f9f3c7f51a8baf509d2aca0d41a07a00bb9abe08dd70724391c552634715d01a75 SHA512 6ef291868908bd13d6ce913f5c8c3898b35eba490877e8eded3951a32be7549145df5db1409f124a3631ec88dd7eeb9457ce2b063ae3e3bccd76cc2a9b8741ae |
61 |
DIST amavisd-new-2.11.0.tar.xz 780548 BLAKE2B 59cea5219a737275411c08c7d137ff2109ebbfee8f5f567d80e0cd73cfbb22887dd186383bfd02ad9880e099e0c06b829de43b9e12dbc3151813533166e51654 SHA512 a33292c976abf54db9475392069658c926e7a6f11a4970bbe353b34b3343388bc83b40eda4729f8efa735a3a6e23fd1ed83487f6f7ccf1e9f0903220e6d26957 |
62 |
|
63 |
diff --git a/mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild b/mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild |
64 |
similarity index 79% |
65 |
rename from mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild |
66 |
rename to mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild |
67 |
index 0efc27e6454..3b4205bb331 100644 |
68 |
--- a/mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild |
69 |
+++ b/mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild |
70 |
@@ -1,13 +1,12 @@ |
71 |
-# Copyright 1999-2018 Gentoo Foundation |
72 |
+# Copyright 1999-2018 Gentoo Authors |
73 |
# Distributed under the terms of the GNU General Public License v2 |
74 |
|
75 |
EAPI=6 |
76 |
inherit systemd user |
77 |
|
78 |
-MY_P="${P/_/-}" |
79 |
DESCRIPTION="High-performance interface between the MTA and content checkers" |
80 |
-HOMEPAGE="https://www.ijs.si/software/amavisd/" |
81 |
-SRC_URI="https://www.ijs.si/software/amavisd/${MY_P}.tar.xz" |
82 |
+HOMEPAGE="https://gitlab.com/amavis/amavis" |
83 |
+SRC_URI="${HOMEPAGE}/-/archive/${P}/amavis-${P}.tar.gz" |
84 |
PORTAGE_DOHTML_WARN_ON_SKIPPED_FILES=yes |
85 |
|
86 |
LICENSE="GPL-2 BSD-2" |
87 |
@@ -51,7 +50,7 @@ RDEPEND="${DEPEND} |
88 |
>=virtual/perl-Time-HiRes-1.49 |
89 |
dev-perl/Unix-Syslog |
90 |
dev-perl/Net-LibIDN |
91 |
- sys-apps/file |
92 |
+ dev-perl/File-LibMagic |
93 |
>=sys-libs/db-4.4.20 |
94 |
dev-perl/BerkeleyDB |
95 |
dev-perl/Convert-BinHex |
96 |
@@ -70,7 +69,14 @@ RDEPEND="${DEPEND} |
97 |
zmq? ( dev-perl/ZMQ-LibZMQ3 )" |
98 |
|
99 |
AMAVIS_ROOT="/var/amavis" |
100 |
-S="${WORKDIR}/${MY_P}" |
101 |
+S="${WORKDIR}/amavis-${P}" |
102 |
+ |
103 |
+pkg_setup() { |
104 |
+ # Create the user beforehand so that we can install the config file |
105 |
+ # (and some directories) with group "amavis" in src_install(). |
106 |
+ enewgroup amavis |
107 |
+ enewuser amavis -1 -1 "${AMAVIS_ROOT}" amavis |
108 |
+} |
109 |
|
110 |
src_prepare() { |
111 |
# amavisd-new version 2.11.0 breaks DKIM signing of outbound mail, |
112 |
@@ -103,8 +109,9 @@ src_prepare() { |
113 |
if ! use spamassassin ; then |
114 |
sed -i -e \ |
115 |
"/^#[[:space:]]*@bypass_spam_checks_maps[[:space:]]*=[[:space:]]*(1)/s/^#//" \ |
116 |
- "${S}/amavisd.conf" || die "missing conf file - sa" |
117 |
+ "${S}/amavisd.conf" || die "missing conf file - sa" |
118 |
fi |
119 |
+ |
120 |
eapply_user |
121 |
} |
122 |
|
123 |
@@ -125,21 +132,32 @@ src_install() { |
124 |
newinitd "${FILESDIR}"/amavis-mc.initd amavis-mc |
125 |
fi |
126 |
|
127 |
+ if use ldap ; then |
128 |
+ dodir /etc/openldap/schema |
129 |
+ insinto /etc/openldap/schema |
130 |
+ newins LDAP.schema ${PN}.schema || die |
131 |
+ fi |
132 |
+ |
133 |
+ # The config file should be root:amavis so that the amavis user can |
134 |
+ # read (only) it after dropping privileges. And of course he should |
135 |
+ # own everything in his home directory. |
136 |
insinto /etc |
137 |
- insopts -m0640 |
138 |
+ insopts -m0640 -g amavis |
139 |
doins amavisd.conf |
140 |
|
141 |
- newinitd "${FILESDIR}/amavisd.initd-r1" amavisd |
142 |
+ # Implementation detail? Keepdir calls dodir under the hood. |
143 |
+ diropts -o amavis -g amavis |
144 |
+ keepdir "${AMAVIS_ROOT}"/{,db,quarantine,tmp,var} |
145 |
|
146 |
- systemd_dounit "${FILESDIR}/amavisd.service" |
147 |
- use clamav || sed -i -e '/Wants=clamd/d' "${ED}"/usr/lib/systemd/system/amavisd.service |
148 |
- use spamassassin || sed -i -e '/Wants=spamassassin/d' "${ED}"/usr/lib/systemd/system/amavisd.service |
149 |
+ # BEWARE: |
150 |
+ # |
151 |
+ # Anything below this line is using the mangled insopts/diropts from |
152 |
+ # above! |
153 |
+ # |
154 |
|
155 |
- keepdir "${AMAVIS_ROOT}" |
156 |
- keepdir "${AMAVIS_ROOT}/db" |
157 |
- keepdir "${AMAVIS_ROOT}/quarantine" |
158 |
- keepdir "${AMAVIS_ROOT}/tmp" |
159 |
- keepdir "${AMAVIS_ROOT}/var" |
160 |
+ newinitd "${FILESDIR}/amavisd.initd-r2" amavisd |
161 |
+ |
162 |
+ systemd_dounit "${FILESDIR}/amavisd.service-r1" |
163 |
|
164 |
dodoc AAAREADME.first INSTALL MANIFEST RELEASE_NOTES TODO \ |
165 |
amavisd.conf-default amavisd-custom.conf |
166 |
@@ -155,18 +173,11 @@ src_install() { |
167 |
docinto test-messages |
168 |
dodoc test-messages/README |
169 |
dodoc test-messages/sample.tar.gz.compl |
170 |
- |
171 |
- if use ldap ; then |
172 |
- dodir /etc/openldap/schema |
173 |
- insinto /etc/openldap/schema |
174 |
- insopts -o root -g root -m 644 |
175 |
- newins LDAP.schema ${PN}.schema || die |
176 |
- fi |
177 |
} |
178 |
|
179 |
pkg_preinst() { |
180 |
- enewgroup amavis |
181 |
- enewuser amavis -1 -1 "${AMAVIS_ROOT}" amavis |
182 |
+ # TODO: the following is done as root, but should probably be done |
183 |
+ # as the amavis user. |
184 |
if use razor ; then |
185 |
if [ ! -d "${ROOT}${AMAVIS_ROOT}/.razor" ] ; then |
186 |
elog "Setting up initial razor config files..." |
187 |
@@ -177,8 +188,3 @@ pkg_preinst() { |
188 |
fi |
189 |
fi |
190 |
} |
191 |
- |
192 |
-pkg_postinst() { |
193 |
- chown root:amavis "${ROOT}/etc/amavisd.conf" |
194 |
- chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}" |
195 |
-} |
196 |
|
197 |
diff --git a/mail-filter/amavisd-new/files/amavisd.initd-r2 b/mail-filter/amavisd-new/files/amavisd.initd-r2 |
198 |
new file mode 100644 |
199 |
index 00000000000..2e58bf9b7a9 |
200 |
--- /dev/null |
201 |
+++ b/mail-filter/amavisd-new/files/amavisd.initd-r2 |
202 |
@@ -0,0 +1,42 @@ |
203 |
+#!/sbin/openrc-run |
204 |
+# Copyright 1999-2018 Gentoo Authors |
205 |
+# Distributed under the terms of the GNU General Public License v2 |
206 |
+ |
207 |
+extra_started_commands="reload" |
208 |
+command="/usr/sbin/${RC_SVCNAME}" |
209 |
+pidfile="/run/${RC_SVCNAME}.pid" |
210 |
+ |
211 |
+# Why run in the foreground? Typically amavisd will drop privileges |
212 |
+# and then write its own PID file in its home directory. This is fine |
213 |
+# so long as you use e.g. "amavisd stop" to stop the daemon. But, we |
214 |
+# want to use start-stop-daemon to do it. And start-stop-daemon will |
215 |
+# send a signal *as root* to the PID contained in the PID file. So, we |
216 |
+# don't want to rely on a PID file that's controlled by a non-root |
217 |
+# user. |
218 |
+# |
219 |
+# As a workaround, we run amavisd in the foreground, and let |
220 |
+# start-stop-daemon push it into the background with its own PID |
221 |
+# file. We don't pass "-P" via command_args below because we don't |
222 |
+# want amavisd to try (and fail) to create that PID file. This does |
223 |
+# mean that you can't run "amavisd stop" or "amavisd reload" directly; |
224 |
+# sorry! |
225 |
+command_args="foreground" |
226 |
+command_background="true" |
227 |
+ |
228 |
+# The amavisd daemon provides its own "stop" and "reload" functions, |
229 |
+# but if you read into the source, they just do what start-stop-daemon |
230 |
+# is going to do anyway. The "stop" command for amavisd will send a |
231 |
+# SIGTERM immediately, and then a SIGKILL after 60 seconds. So, we do |
232 |
+# that too. The "reload" command sends a SIGHUP; see reload() below. |
233 |
+retry="SIGTERM/15 SIGKILL/60" |
234 |
+ |
235 |
+depend() { |
236 |
+ use net logger antivirus snmpd |
237 |
+ before mta |
238 |
+} |
239 |
+ |
240 |
+reload() { |
241 |
+ ebegin "Reloading ${RC_SVCNAME}" |
242 |
+ start-stop-daemon --signal HUP --pidfile "${pidfile}" |
243 |
+ eend $? |
244 |
+} |
245 |
|
246 |
diff --git a/mail-filter/amavisd-new/files/amavisd.service-r1 b/mail-filter/amavisd-new/files/amavisd.service-r1 |
247 |
new file mode 100644 |
248 |
index 00000000000..03871285355 |
249 |
--- /dev/null |
250 |
+++ b/mail-filter/amavisd-new/files/amavisd.service-r1 |
251 |
@@ -0,0 +1,21 @@ |
252 |
+[Unit] |
253 |
+Description=Amavisd Daemon |
254 |
+Before=postfix.service |
255 |
+After=clamd.service |
256 |
+After=network.target |
257 |
+ |
258 |
+[Service] |
259 |
+User=amavis |
260 |
+Group=amavis |
261 |
+ExecStart=/usr/sbin/amavisd -c /etc/amavisd.conf foreground |
262 |
+ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload |
263 |
+PrivateTmp=true |
264 |
+CapabilityBoundingSet= |
265 |
+ProtectSystem=full |
266 |
+NoNewPrivileges=true |
267 |
+PrivateDevices=true |
268 |
+ProtectHome=true |
269 |
+MemoryDenyWriteExecute=true |
270 |
+ |
271 |
+[Install] |
272 |
+WantedBy=multi-user.target |