| 1 |
* Michael Orlitzky: |
| 2 |
|
| 3 |
> (a) we still have a dumb security vulnerability, in that these daemons |
| 4 |
> can modify each others' files |
| 5 |
|
| 6 |
That vulnerability has existed as long as the second package came around |
| 7 |
and re-used the "milter" user, and to my knowledge nothing bad has come |
| 8 |
of it so far. |
| 9 |
|
| 10 |
I have an open PR[1] that the QA checks on GitHub will not allow to pass |
| 11 |
unless I migrate milter-regex to using acct-* instead of user.eclass, so |
| 12 |
that is what I did. |
| 13 |
|
| 14 |
[1] https://github.com/gentoo/gentoo/pull/13964 |
| 15 |
|
| 16 |
> (b) you have to be careful not to do anything in acct-user/milter that |
| 17 |
> could break someone's opendmarc setup |
| 18 |
|
| 19 |
Milter-regex only needs a user to isolate the process and it's single |
| 20 |
configuration file (/etc/milter-regex.conf). My PR adds acct-user/milter |
| 21 |
without a home directory, because milter-regex does not need one, nor |
| 22 |
does it write anything to disk. It is designed to hold everything in |
| 23 |
memory only. |
| 24 |
|
| 25 |
Could that lack of a home directory hurt OpenDMARC? I use OpenDMARC and |
| 26 |
milter-regex on the same servers and did not run into problems. |
| 27 |
|
| 28 |
-Ralph |
Archives