| 1 |
commit: c8fe3982751aa4881b42f89ed080b210c4529c81 |
| 2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sat Nov 17 15:09:21 2018 +0000 |
| 4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Nov 18 23:23:57 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8fe3982 |
| 7 |
|
| 8 |
mail-filter/amavisd-new: new version 2.11.1. |
| 9 |
|
| 10 |
A mostly standard version bump (bug 668494) with some improvements and |
| 11 |
bug fixes piled on: |
| 12 |
|
| 13 |
* The sys-apps/file dependency is replaced by dev-perl/File-LibMagic |
| 14 |
to improve performance a bit (bug 592802). |
| 15 |
|
| 16 |
* New user creation has been moved to pkg_setup(). This allows us to |
| 17 |
set permissions and ownership properly in src_install(), so that |
| 18 |
we don't have to "fix" them later and cause big ol' security |
| 19 |
problems (bug 630836). |
| 20 |
|
| 21 |
* The OpenRC service script has been rewritten to use start-stop-daemon. |
| 22 |
This fixes outstanding bugs 507352, 634860, and 646336. |
| 23 |
|
| 24 |
* The systemd service dependencies have been updated (bug 581452). We |
| 25 |
never really needed spamassassin (spamd) at all, and we shouldn't fail |
| 26 |
to start if postfix/clamav are absent entirely. |
| 27 |
|
| 28 |
* As part of the previous item, removed two failing "sed" calls |
| 29 |
(that were missing die() statements!) intended to modify a service |
| 30 |
file that no longer lives where it used to. |
| 31 |
|
| 32 |
Thanks are due to, |
| 33 |
|
| 34 |
* Marcin Mirosław who reported an OpenRC issue, |
| 35 |
* Nick Wiltshire for reporting and testing the OpenRC fixes, |
| 36 |
* Robin Lutz for reporting the OpenRC restart issue, |
| 37 |
* Timo Rothenpieler for reporting the systemd dependency issue. |
| 38 |
|
| 39 |
Bug: https://bugs.gentoo.org/630836 |
| 40 |
Closes: https://bugs.gentoo.org/507352 |
| 41 |
Closes: https://bugs.gentoo.org/581452 |
| 42 |
Closes: https://bugs.gentoo.org/592802 |
| 43 |
Closes: https://bugs.gentoo.org/634860 |
| 44 |
Closes: https://bugs.gentoo.org/646336 |
| 45 |
Closes: https://bugs.gentoo.org/668494 |
| 46 |
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org> |
| 47 |
Package-Manager: Portage-2.3.51, Repoman-2.3.11 |
| 48 |
|
| 49 |
mail-filter/amavisd-new/Manifest | 1 + |
| 50 |
...-2.11.0-r4.ebuild => amavisd-new-2.11.1.ebuild} | 68 ++++++++++++---------- |
| 51 |
mail-filter/amavisd-new/files/amavisd.initd-r2 | 42 +++++++++++++ |
| 52 |
mail-filter/amavisd-new/files/amavisd.service-r1 | 21 +++++++ |
| 53 |
4 files changed, 101 insertions(+), 31 deletions(-) |
| 54 |
|
| 55 |
diff --git a/mail-filter/amavisd-new/Manifest b/mail-filter/amavisd-new/Manifest |
| 56 |
index 44fb609486f..7b3a4228338 100644 |
| 57 |
--- a/mail-filter/amavisd-new/Manifest |
| 58 |
+++ b/mail-filter/amavisd-new/Manifest |
| 59 |
@@ -1 +1,2 @@ |
| 60 |
+DIST amavis-amavisd-new-2.11.1.tar.gz 1093467 BLAKE2B 1e43ddea86ff269b02cbbcd125d913c51b66728b1063cde6ca3f3f24f1bd36f9f3c7f51a8baf509d2aca0d41a07a00bb9abe08dd70724391c552634715d01a75 SHA512 6ef291868908bd13d6ce913f5c8c3898b35eba490877e8eded3951a32be7549145df5db1409f124a3631ec88dd7eeb9457ce2b063ae3e3bccd76cc2a9b8741ae |
| 61 |
DIST amavisd-new-2.11.0.tar.xz 780548 BLAKE2B 59cea5219a737275411c08c7d137ff2109ebbfee8f5f567d80e0cd73cfbb22887dd186383bfd02ad9880e099e0c06b829de43b9e12dbc3151813533166e51654 SHA512 a33292c976abf54db9475392069658c926e7a6f11a4970bbe353b34b3343388bc83b40eda4729f8efa735a3a6e23fd1ed83487f6f7ccf1e9f0903220e6d26957 |
| 62 |
|
| 63 |
diff --git a/mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild b/mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild |
| 64 |
similarity index 79% |
| 65 |
rename from mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild |
| 66 |
rename to mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild |
| 67 |
index 0efc27e6454..3b4205bb331 100644 |
| 68 |
--- a/mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild |
| 69 |
+++ b/mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild |
| 70 |
@@ -1,13 +1,12 @@ |
| 71 |
-# Copyright 1999-2018 Gentoo Foundation |
| 72 |
+# Copyright 1999-2018 Gentoo Authors |
| 73 |
# Distributed under the terms of the GNU General Public License v2 |
| 74 |
|
| 75 |
EAPI=6 |
| 76 |
inherit systemd user |
| 77 |
|
| 78 |
-MY_P="${P/_/-}" |
| 79 |
DESCRIPTION="High-performance interface between the MTA and content checkers" |
| 80 |
-HOMEPAGE="https://www.ijs.si/software/amavisd/" |
| 81 |
-SRC_URI="https://www.ijs.si/software/amavisd/${MY_P}.tar.xz" |
| 82 |
+HOMEPAGE="https://gitlab.com/amavis/amavis" |
| 83 |
+SRC_URI="${HOMEPAGE}/-/archive/${P}/amavis-${P}.tar.gz" |
| 84 |
PORTAGE_DOHTML_WARN_ON_SKIPPED_FILES=yes |
| 85 |
|
| 86 |
LICENSE="GPL-2 BSD-2" |
| 87 |
@@ -51,7 +50,7 @@ RDEPEND="${DEPEND} |
| 88 |
>=virtual/perl-Time-HiRes-1.49 |
| 89 |
dev-perl/Unix-Syslog |
| 90 |
dev-perl/Net-LibIDN |
| 91 |
- sys-apps/file |
| 92 |
+ dev-perl/File-LibMagic |
| 93 |
>=sys-libs/db-4.4.20 |
| 94 |
dev-perl/BerkeleyDB |
| 95 |
dev-perl/Convert-BinHex |
| 96 |
@@ -70,7 +69,14 @@ RDEPEND="${DEPEND} |
| 97 |
zmq? ( dev-perl/ZMQ-LibZMQ3 )" |
| 98 |
|
| 99 |
AMAVIS_ROOT="/var/amavis" |
| 100 |
-S="${WORKDIR}/${MY_P}" |
| 101 |
+S="${WORKDIR}/amavis-${P}" |
| 102 |
+ |
| 103 |
+pkg_setup() { |
| 104 |
+ # Create the user beforehand so that we can install the config file |
| 105 |
+ # (and some directories) with group "amavis" in src_install(). |
| 106 |
+ enewgroup amavis |
| 107 |
+ enewuser amavis -1 -1 "${AMAVIS_ROOT}" amavis |
| 108 |
+} |
| 109 |
|
| 110 |
src_prepare() { |
| 111 |
# amavisd-new version 2.11.0 breaks DKIM signing of outbound mail, |
| 112 |
@@ -103,8 +109,9 @@ src_prepare() { |
| 113 |
if ! use spamassassin ; then |
| 114 |
sed -i -e \ |
| 115 |
"/^#[[:space:]]*@bypass_spam_checks_maps[[:space:]]*=[[:space:]]*(1)/s/^#//" \ |
| 116 |
- "${S}/amavisd.conf" || die "missing conf file - sa" |
| 117 |
+ "${S}/amavisd.conf" || die "missing conf file - sa" |
| 118 |
fi |
| 119 |
+ |
| 120 |
eapply_user |
| 121 |
} |
| 122 |
|
| 123 |
@@ -125,21 +132,32 @@ src_install() { |
| 124 |
newinitd "${FILESDIR}"/amavis-mc.initd amavis-mc |
| 125 |
fi |
| 126 |
|
| 127 |
+ if use ldap ; then |
| 128 |
+ dodir /etc/openldap/schema |
| 129 |
+ insinto /etc/openldap/schema |
| 130 |
+ newins LDAP.schema ${PN}.schema || die |
| 131 |
+ fi |
| 132 |
+ |
| 133 |
+ # The config file should be root:amavis so that the amavis user can |
| 134 |
+ # read (only) it after dropping privileges. And of course he should |
| 135 |
+ # own everything in his home directory. |
| 136 |
insinto /etc |
| 137 |
- insopts -m0640 |
| 138 |
+ insopts -m0640 -g amavis |
| 139 |
doins amavisd.conf |
| 140 |
|
| 141 |
- newinitd "${FILESDIR}/amavisd.initd-r1" amavisd |
| 142 |
+ # Implementation detail? Keepdir calls dodir under the hood. |
| 143 |
+ diropts -o amavis -g amavis |
| 144 |
+ keepdir "${AMAVIS_ROOT}"/{,db,quarantine,tmp,var} |
| 145 |
|
| 146 |
- systemd_dounit "${FILESDIR}/amavisd.service" |
| 147 |
- use clamav || sed -i -e '/Wants=clamd/d' "${ED}"/usr/lib/systemd/system/amavisd.service |
| 148 |
- use spamassassin || sed -i -e '/Wants=spamassassin/d' "${ED}"/usr/lib/systemd/system/amavisd.service |
| 149 |
+ # BEWARE: |
| 150 |
+ # |
| 151 |
+ # Anything below this line is using the mangled insopts/diropts from |
| 152 |
+ # above! |
| 153 |
+ # |
| 154 |
|
| 155 |
- keepdir "${AMAVIS_ROOT}" |
| 156 |
- keepdir "${AMAVIS_ROOT}/db" |
| 157 |
- keepdir "${AMAVIS_ROOT}/quarantine" |
| 158 |
- keepdir "${AMAVIS_ROOT}/tmp" |
| 159 |
- keepdir "${AMAVIS_ROOT}/var" |
| 160 |
+ newinitd "${FILESDIR}/amavisd.initd-r2" amavisd |
| 161 |
+ |
| 162 |
+ systemd_dounit "${FILESDIR}/amavisd.service-r1" |
| 163 |
|
| 164 |
dodoc AAAREADME.first INSTALL MANIFEST RELEASE_NOTES TODO \ |
| 165 |
amavisd.conf-default amavisd-custom.conf |
| 166 |
@@ -155,18 +173,11 @@ src_install() { |
| 167 |
docinto test-messages |
| 168 |
dodoc test-messages/README |
| 169 |
dodoc test-messages/sample.tar.gz.compl |
| 170 |
- |
| 171 |
- if use ldap ; then |
| 172 |
- dodir /etc/openldap/schema |
| 173 |
- insinto /etc/openldap/schema |
| 174 |
- insopts -o root -g root -m 644 |
| 175 |
- newins LDAP.schema ${PN}.schema || die |
| 176 |
- fi |
| 177 |
} |
| 178 |
|
| 179 |
pkg_preinst() { |
| 180 |
- enewgroup amavis |
| 181 |
- enewuser amavis -1 -1 "${AMAVIS_ROOT}" amavis |
| 182 |
+ # TODO: the following is done as root, but should probably be done |
| 183 |
+ # as the amavis user. |
| 184 |
if use razor ; then |
| 185 |
if [ ! -d "${ROOT}${AMAVIS_ROOT}/.razor" ] ; then |
| 186 |
elog "Setting up initial razor config files..." |
| 187 |
@@ -177,8 +188,3 @@ pkg_preinst() { |
| 188 |
fi |
| 189 |
fi |
| 190 |
} |
| 191 |
- |
| 192 |
-pkg_postinst() { |
| 193 |
- chown root:amavis "${ROOT}/etc/amavisd.conf" |
| 194 |
- chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}" |
| 195 |
-} |
| 196 |
|
| 197 |
diff --git a/mail-filter/amavisd-new/files/amavisd.initd-r2 b/mail-filter/amavisd-new/files/amavisd.initd-r2 |
| 198 |
new file mode 100644 |
| 199 |
index 00000000000..2e58bf9b7a9 |
| 200 |
--- /dev/null |
| 201 |
+++ b/mail-filter/amavisd-new/files/amavisd.initd-r2 |
| 202 |
@@ -0,0 +1,42 @@ |
| 203 |
+#!/sbin/openrc-run |
| 204 |
+# Copyright 1999-2018 Gentoo Authors |
| 205 |
+# Distributed under the terms of the GNU General Public License v2 |
| 206 |
+ |
| 207 |
+extra_started_commands="reload" |
| 208 |
+command="/usr/sbin/${RC_SVCNAME}" |
| 209 |
+pidfile="/run/${RC_SVCNAME}.pid" |
| 210 |
+ |
| 211 |
+# Why run in the foreground? Typically amavisd will drop privileges |
| 212 |
+# and then write its own PID file in its home directory. This is fine |
| 213 |
+# so long as you use e.g. "amavisd stop" to stop the daemon. But, we |
| 214 |
+# want to use start-stop-daemon to do it. And start-stop-daemon will |
| 215 |
+# send a signal *as root* to the PID contained in the PID file. So, we |
| 216 |
+# don't want to rely on a PID file that's controlled by a non-root |
| 217 |
+# user. |
| 218 |
+# |
| 219 |
+# As a workaround, we run amavisd in the foreground, and let |
| 220 |
+# start-stop-daemon push it into the background with its own PID |
| 221 |
+# file. We don't pass "-P" via command_args below because we don't |
| 222 |
+# want amavisd to try (and fail) to create that PID file. This does |
| 223 |
+# mean that you can't run "amavisd stop" or "amavisd reload" directly; |
| 224 |
+# sorry! |
| 225 |
+command_args="foreground" |
| 226 |
+command_background="true" |
| 227 |
+ |
| 228 |
+# The amavisd daemon provides its own "stop" and "reload" functions, |
| 229 |
+# but if you read into the source, they just do what start-stop-daemon |
| 230 |
+# is going to do anyway. The "stop" command for amavisd will send a |
| 231 |
+# SIGTERM immediately, and then a SIGKILL after 60 seconds. So, we do |
| 232 |
+# that too. The "reload" command sends a SIGHUP; see reload() below. |
| 233 |
+retry="SIGTERM/15 SIGKILL/60" |
| 234 |
+ |
| 235 |
+depend() { |
| 236 |
+ use net logger antivirus snmpd |
| 237 |
+ before mta |
| 238 |
+} |
| 239 |
+ |
| 240 |
+reload() { |
| 241 |
+ ebegin "Reloading ${RC_SVCNAME}" |
| 242 |
+ start-stop-daemon --signal HUP --pidfile "${pidfile}" |
| 243 |
+ eend $? |
| 244 |
+} |
| 245 |
|
| 246 |
diff --git a/mail-filter/amavisd-new/files/amavisd.service-r1 b/mail-filter/amavisd-new/files/amavisd.service-r1 |
| 247 |
new file mode 100644 |
| 248 |
index 00000000000..03871285355 |
| 249 |
--- /dev/null |
| 250 |
+++ b/mail-filter/amavisd-new/files/amavisd.service-r1 |
| 251 |
@@ -0,0 +1,21 @@ |
| 252 |
+[Unit] |
| 253 |
+Description=Amavisd Daemon |
| 254 |
+Before=postfix.service |
| 255 |
+After=clamd.service |
| 256 |
+After=network.target |
| 257 |
+ |
| 258 |
+[Service] |
| 259 |
+User=amavis |
| 260 |
+Group=amavis |
| 261 |
+ExecStart=/usr/sbin/amavisd -c /etc/amavisd.conf foreground |
| 262 |
+ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload |
| 263 |
+PrivateTmp=true |
| 264 |
+CapabilityBoundingSet= |
| 265 |
+ProtectSystem=full |
| 266 |
+NoNewPrivileges=true |
| 267 |
+PrivateDevices=true |
| 268 |
+ProtectHome=true |
| 269 |
+MemoryDenyWriteExecute=true |
| 270 |
+ |
| 271 |
+[Install] |
| 272 |
+WantedBy=multi-user.target |
Archives