| 1 |
On Wednesday 20 July 2005 02:43, Robin H. Johnson wrote: |
| 2 |
> This problem IS fixed in ~arch: |
| 3 |
> |
| 4 |
> line 190 of both vpopmail-5.4.10.ebuild and |
| 5 |
> vpopmail-5.4.9-r2.ebuild: chmod 4711 ${D}${VPOP_HOME}/bin/vchkpw |
| 6 |
|
| 7 |
Ahh okay, that explains things a bit. I'm using x86, which means |
| 8 |
5.4.6. |
| 9 |
|
| 10 |
> So if this is still a problem in arch, but works in ~arch, you |
| 11 |
> SHOULD file a bug report. |
| 12 |
|
| 13 |
Why not just wait for the newer releases to make it to arch? |
| 14 |
|
| 15 |
> However the original reasoning for vchkpw NOT being setuid was |
| 16 |
> that setuid is NOT always needed depending on which backend you |
| 17 |
> are using. |
| 18 |
|
| 19 |
I can confirm that - bincimap and qmail-pop3d run as root, so the |
| 20 |
setuid bit is not necessary. I believe this is also the case for |
| 21 |
dovecot 1.0 beta releases, though there are no ebuilds for them so |
| 22 |
I haven't yet tested (<1.0 releases use libvpopmail directly |
| 23 |
instead of the checkpassword interface). However it is necessary |
| 24 |
for any server running as a non-root user, i.e. qmail-smtpd. |
| 25 |
|
| 26 |
Thus I believe this should have the same treatment as binaries like |
| 27 |
chsh - they won't work for non-root users without the setuid bit, |
| 28 |
but running as a non-root user is generally accepted. If I want to |
| 29 |
be paranoid (which I am), I can use suidctl (which I do), and only |
| 30 |
uncomment the binary when I discover the need to. There's not |
| 31 |
really any reverse of suidctl to my awareness. |
| 32 |
|
| 33 |
Nor is there a use flag for qmail or similar on vpopmail, but the |
| 34 |
vpopmail ebuild requires qmail regardless of USE settings (postfix |
| 35 |
support is not present), so at least in the current state, since |
| 36 |
the package is built for qmail, it should assume qmail's non-root |
| 37 |
qmail-smtpd will need to access vchkpw. |
| 38 |
|
| 39 |
I would encourage making vchkpw suid even if postfix is supported |
| 40 |
and used instead of qmail, because there are other softwares (i.e. |
| 41 |
IMAP & POP servers) which have a checkpassword interface which do |
| 42 |
may not run as the root user. |
| 43 |
|
| 44 |
> And as I've mentioned before I'd like MORE reports of packages |
| 45 |
> working well before they are moved to stable arch. Without those |
| 46 |
> stable working reports I don't have any means to judge just how |
| 47 |
> much testing has been done on a package, other than my own use of |
| 48 |
> a package (and as such I do leave things longer than the 30 days, |
| 49 |
> because I don't entirely trust them). |
| 50 |
|
| 51 |
This sounds like a request for the QA team. I tend to stay away |
| 52 |
from most ~arch packages simply because most of our systems are |
| 53 |
live production servers, but I'd be happy to test-drive new ebuilds |
| 54 |
of vpopmail if it would help get new versions into the stable tree |
| 55 |
faster. |
| 56 |
|
| 57 |
Cheers, |
| 58 |
-- |
| 59 |
Casey Allen Shobe | http://casey.shobe.info |
| 60 |
cshobe@×××××××××××××.com | cell 425-443-4653 |
| 61 |
AIM & Yahoo: SomeLinuxGuy | ICQ: 1494523 |
| 62 |
SeattleServer.com, Inc. | http://www.seattleserver.com |
| 63 |
-- |
| 64 |
gentoo-dev@g.o mailing list |
Archives