1 |
* Michael Orlitzky: |
2 |
|
3 |
> (a) we still have a dumb security vulnerability, in that these daemons |
4 |
> can modify each others' files |
5 |
|
6 |
That vulnerability has existed as long as the second package came around |
7 |
and re-used the "milter" user, and to my knowledge nothing bad has come |
8 |
of it so far. |
9 |
|
10 |
I have an open PR[1] that the QA checks on GitHub will not allow to pass |
11 |
unless I migrate milter-regex to using acct-* instead of user.eclass, so |
12 |
that is what I did. |
13 |
|
14 |
[1] https://github.com/gentoo/gentoo/pull/13964 |
15 |
|
16 |
> (b) you have to be careful not to do anything in acct-user/milter that |
17 |
> could break someone's opendmarc setup |
18 |
|
19 |
Milter-regex only needs a user to isolate the process and it's single |
20 |
configuration file (/etc/milter-regex.conf). My PR adds acct-user/milter |
21 |
without a home directory, because milter-regex does not need one, nor |
22 |
does it write anything to disk. It is designed to hold everything in |
23 |
memory only. |
24 |
|
25 |
Could that lack of a home directory hurt OpenDMARC? I use OpenDMARC and |
26 |
milter-regex on the same servers and did not run into problems. |
27 |
|
28 |
-Ralph |