1 |
On Wednesday 20 July 2005 02:43, Robin H. Johnson wrote: |
2 |
> This problem IS fixed in ~arch: |
3 |
> |
4 |
> line 190 of both vpopmail-5.4.10.ebuild and |
5 |
> vpopmail-5.4.9-r2.ebuild: chmod 4711 ${D}${VPOP_HOME}/bin/vchkpw |
6 |
|
7 |
Ahh okay, that explains things a bit. I'm using x86, which means |
8 |
5.4.6. |
9 |
|
10 |
> So if this is still a problem in arch, but works in ~arch, you |
11 |
> SHOULD file a bug report. |
12 |
|
13 |
Why not just wait for the newer releases to make it to arch? |
14 |
|
15 |
> However the original reasoning for vchkpw NOT being setuid was |
16 |
> that setuid is NOT always needed depending on which backend you |
17 |
> are using. |
18 |
|
19 |
I can confirm that - bincimap and qmail-pop3d run as root, so the |
20 |
setuid bit is not necessary. I believe this is also the case for |
21 |
dovecot 1.0 beta releases, though there are no ebuilds for them so |
22 |
I haven't yet tested (<1.0 releases use libvpopmail directly |
23 |
instead of the checkpassword interface). However it is necessary |
24 |
for any server running as a non-root user, i.e. qmail-smtpd. |
25 |
|
26 |
Thus I believe this should have the same treatment as binaries like |
27 |
chsh - they won't work for non-root users without the setuid bit, |
28 |
but running as a non-root user is generally accepted. If I want to |
29 |
be paranoid (which I am), I can use suidctl (which I do), and only |
30 |
uncomment the binary when I discover the need to. There's not |
31 |
really any reverse of suidctl to my awareness. |
32 |
|
33 |
Nor is there a use flag for qmail or similar on vpopmail, but the |
34 |
vpopmail ebuild requires qmail regardless of USE settings (postfix |
35 |
support is not present), so at least in the current state, since |
36 |
the package is built for qmail, it should assume qmail's non-root |
37 |
qmail-smtpd will need to access vchkpw. |
38 |
|
39 |
I would encourage making vchkpw suid even if postfix is supported |
40 |
and used instead of qmail, because there are other softwares (i.e. |
41 |
IMAP & POP servers) which have a checkpassword interface which do |
42 |
may not run as the root user. |
43 |
|
44 |
> And as I've mentioned before I'd like MORE reports of packages |
45 |
> working well before they are moved to stable arch. Without those |
46 |
> stable working reports I don't have any means to judge just how |
47 |
> much testing has been done on a package, other than my own use of |
48 |
> a package (and as such I do leave things longer than the 30 days, |
49 |
> because I don't entirely trust them). |
50 |
|
51 |
This sounds like a request for the QA team. I tend to stay away |
52 |
from most ~arch packages simply because most of our systems are |
53 |
live production servers, but I'd be happy to test-drive new ebuilds |
54 |
of vpopmail if it would help get new versions into the stable tree |
55 |
faster. |
56 |
|
57 |
Cheers, |
58 |
-- |
59 |
Casey Allen Shobe | http://casey.shobe.info |
60 |
cshobe@×××××××××××××.com | cell 425-443-4653 |
61 |
AIM & Yahoo: SomeLinuxGuy | ICQ: 1494523 |
62 |
SeattleServer.com, Inc. | http://www.seattleserver.com |
63 |
-- |
64 |
gentoo-dev@g.o mailing list |