Message ID | 20200513045741.21469-1-alexander.marx@ipfire.org |
---|---|
State | Dropped |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49MMqk65CSz3xQp for <patchwork@web04.haj.ipfire.org>; Wed, 13 May 2020 04:57:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49MMqh325Vz2L5; Wed, 13 May 2020 04:57:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49MMqg38bwz2yHP; Wed, 13 May 2020 04:57:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49MMqd5yzjz2xmc for <development@lists.ipfire.org>; Wed, 13 May 2020 04:57:49 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49MMqd2lBgz2L5; Wed, 13 May 2020 04:57:49 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1589345869; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=RQtASt2KpHVdVg/Na7LvPc98SABwRaAYQy+SBIOzcgI=; b=GI3yV5QCXvmQtIoPWhTVth+QaRuwRt2rh/stwCRvREcxOP14IWOJXHWTXrKCMGqqzWdmKe GSo92d/gM7DNeQBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1589345869; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=RQtASt2KpHVdVg/Na7LvPc98SABwRaAYQy+SBIOzcgI=; b=QoJ5Jt6X/QbR4Nz7HlMIvvxFHyJe+wfRFFxvpmY1kpoesH0EpXLAtw2tVFGY/IZACWrdyU CDWCObv/2joDMoK/JLqEQQTi4XMdI7IPyR8DJDOTh88WPA2bKBNx34QkybukPk8G7bSDjz mM6uubzgDbYJ6YImMLhXH4239MMXf3M+/qPfWBc4ZJ2mlqR3IWzbV8NofYQIKDE3TCr3L9 U0AR2CGyId+4t61kSAeOo3iFDdWoaa2yFNP1Nqhulf9AdTZSre9u0LmDKYyb4zIs1RL6U+ 7jbeTBeye0U7bF9+EKOp0aS2ZRrwU7uqWIxUIfWtf8ObHi8jDe6syhFDQ3nw/w== From: Alexander Marx <alexander.marx@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] BUG12403: Change group permission of dma.conf Date: Wed, 13 May 2020 06:57:41 +0200 Message-Id: <20200513045741.21469-1-alexander.marx@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=alexander.marx@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
BUG12403: Change group permission of dma.conf
|
|
Commit Message
Alexander Marx
May 13, 2020, 4:57 a.m. UTC
Because other services that run as other users than nobody should be able to send mails, this patch changes the permissions from nobody.root to nobody.mail When another user wants to send mails via DMA, the user has to be put into the group "mail". FIXES: #12403 Arne: Please take care of update script, so these changes affect normal update procedure. --- lfs/dma | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
Comments
Hi, This solution looks a lot better to me. Do we have to restore permissions when a backup is restored, too? -Michael Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org> wrote: > > Because other services that run as other users than nobody should be > able to send mails, this patch changes the permissions > > from > nobody.root > > to > nobody.mail > > When another user wants to send mails via DMA, the user has to be put into the group "mail". > > FIXES: #12403 > > Arne: Please take care of update script, so these changes affect normal update procedure. > --- > lfs/dma | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/lfs/dma b/lfs/dma > index 6b5d9bfbf..7f0c2cc0e 100644 > --- a/lfs/dma > +++ b/lfs/dma > @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc > install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin > chown -R nobody.nobody /var/ipfire/dma > - chown nobody.root /var/ipfire/dma/auth.conf > - chmod 644 /var/ipfire/dma/auth.conf > + chown nobody.mail /var/ipfire/dma/auth.conf > ln -svf dma /usr/sbin/sendmail.dma > /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 > @rm -rf $(DIR_APP) > -- > 2.17.1 >
very good point. This should be checked. Am 13.05.20 um 10:29 schrieb Michael Tremer: > Hi, > > This solution looks a lot better to me. > > Do we have to restore permissions when a backup is restored, too? > > -Michael > > Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > >> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org> wrote: >> >> Because other services that run as other users than nobody should be >> able to send mails, this patch changes the permissions >> >> from >> nobody.root >> >> to >> nobody.mail >> >> When another user wants to send mails via DMA, the user has to be put into the group "mail". >> >> FIXES: #12403 >> >> Arne: Please take care of update script, so these changes affect normal update procedure. >> --- >> lfs/dma | 3 +-- >> 1 file changed, 1 insertion(+), 2 deletions(-) >> >> diff --git a/lfs/dma b/lfs/dma >> index 6b5d9bfbf..7f0c2cc0e 100644 >> --- a/lfs/dma >> +++ b/lfs/dma >> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc >> install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin >> chown -R nobody.nobody /var/ipfire/dma >> - chown nobody.root /var/ipfire/dma/auth.conf >> - chmod 644 /var/ipfire/dma/auth.conf >> + chown nobody.mail /var/ipfire/dma/auth.conf >> ln -svf dma /usr/sbin/sendmail.dma >> /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 >> @rm -rf $(DIR_APP) >> -- >> 2.17.1 >> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <font face="Helvetica, Arial, sans-serif">very good point. This should be checked.<br> <br> </font><br> <div class="moz-cite-prefix">Am 13.05.20 um 10:29 schrieb Michael Tremer:<br> </div> <blockquote type="cite" cite="mid:BB52E771-51FA-44B8-83BF-24BB5F7AD400@ipfire.org"> <pre class="moz-quote-pre" wrap="">Hi, This solution looks a lot better to me. Do we have to restore permissions when a backup is restored, too? -Michael Reviewed-by: Michael Tremer <a class="moz-txt-link-rfc2396E" href="mailto:michael.tremer@ipfire.org"><michael.tremer@ipfire.org></a> </pre> <blockquote type="cite"> <pre class="moz-quote-pre" wrap="">On 13 May 2020, at 05:57, Alexander Marx <a class="moz-txt-link-rfc2396E" href="mailto:alexander.marx@ipfire.org"><alexander.marx@ipfire.org></a> wrote: Because other services that run as other users than nobody should be able to send mails, this patch changes the permissions from nobody.root to nobody.mail When another user wants to send mails via DMA, the user has to be put into the group "mail". FIXES: #12403 Arne: Please take care of update script, so these changes affect normal update procedure. --- lfs/dma | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lfs/dma b/lfs/dma index 6b5d9bfbf..7f0c2cc0e 100644 --- a/lfs/dma +++ b/lfs/dma @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin chown -R nobody.nobody /var/ipfire/dma - chown nobody.root /var/ipfire/dma/auth.conf - chmod 644 /var/ipfire/dma/auth.conf + chown nobody.mail /var/ipfire/dma/auth.conf ln -svf dma /usr/sbin/sendmail.dma /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 @rm -rf $(DIR_APP)
By whom? > On 13 May 2020, at 10:54, Alexander Marx <alexander.marx@ipfire.org> wrote: > > very good point. This should be checked. > > > Am 13.05.20 um 10:29 schrieb Michael Tremer: >> Hi, >> >> This solution looks a lot better to me. >> >> Do we have to restore permissions when a backup is restored, too? >> >> -Michael >> >> Reviewed-by: Michael Tremer >> <michael.tremer@ipfire.org> >> >> >> >>> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org> >>> wrote: >>> >>> Because other services that run as other users than nobody should be >>> able to send mails, this patch changes the permissions >>> >>> from >>> nobody.root >>> >>> to >>> nobody.mail >>> >>> When another user wants to send mails via DMA, the user has to be put into the group "mail". >>> >>> FIXES: #12403 >>> >>> Arne: Please take care of update script, so these changes affect normal update procedure. >>> --- >>> lfs/dma | 3 +-- >>> 1 file changed, 1 insertion(+), 2 deletions(-) >>> >>> diff --git a/lfs/dma b/lfs/dma >>> index 6b5d9bfbf..7f0c2cc0e 100644 >>> --- a/lfs/dma >>> +++ b/lfs/dma >>> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc >>> install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin >>> chown -R nobody.nobody /var/ipfire/dma >>> - chown nobody.root /var/ipfire/dma/auth.conf >>> - chmod 644 /var/ipfire/dma/auth.conf >>> + chown nobody.mail /var/ipfire/dma/auth.conf >>> ln -svf dma /usr/sbin/sendmail.dma >>> /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 >>> @rm -rf $(DIR_APP) >>> -- >>> 2.17.1 >>> >>> >
LOL. Well, i think if Arne implements this in the next update-script, the backup would run automatically and then with the right permissions. The question is if we should implement an extra check for people who don't upgrade their IPFire. For this case its nearly obsolete because if they dont update, they will never get an addon wich needs that feature ;-) Am 13.05.20 um 11:59 schrieb Michael Tremer: > By whom? > >> On 13 May 2020, at 10:54, Alexander Marx <alexander.marx@ipfire.org> wrote: >> >> very good point. This should be checked. >> >> >> Am 13.05.20 um 10:29 schrieb Michael Tremer: >>> Hi, >>> >>> This solution looks a lot better to me. >>> >>> Do we have to restore permissions when a backup is restored, too? >>> >>> -Michael >>> >>> Reviewed-by: Michael Tremer >>> <michael.tremer@ipfire.org> >>> >>> >>> >>>> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org> >>>> wrote: >>>> >>>> Because other services that run as other users than nobody should be >>>> able to send mails, this patch changes the permissions >>>> >>>> from >>>> nobody.root >>>> >>>> to >>>> nobody.mail >>>> >>>> When another user wants to send mails via DMA, the user has to be put into the group "mail". >>>> >>>> FIXES: #12403 >>>> >>>> Arne: Please take care of update script, so these changes affect normal update procedure. >>>> --- >>>> lfs/dma | 3 +-- >>>> 1 file changed, 1 insertion(+), 2 deletions(-) >>>> >>>> diff --git a/lfs/dma b/lfs/dma >>>> index 6b5d9bfbf..7f0c2cc0e 100644 >>>> --- a/lfs/dma >>>> +++ b/lfs/dma >>>> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>> cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc >>>> install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin >>>> chown -R nobody.nobody /var/ipfire/dma >>>> - chown nobody.root /var/ipfire/dma/auth.conf >>>> - chmod 644 /var/ipfire/dma/auth.conf >>>> + chown nobody.mail /var/ipfire/dma/auth.conf >>>> ln -svf dma /usr/sbin/sendmail.dma >>>> /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 >>>> @rm -rf $(DIR_APP) >>>> -- >>>> 2.17.1 >>>> >>>> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <font face="Helvetica, Arial, sans-serif">LOL. Well, i think if Arne implements this in the next update-script, the backup would run automatically and then with the right permissions.<br> <br> The question is if we should implement an extra check for people who don't upgrade their IPFire.<br> For this case its nearly obsolete because if they dont update, they will never get an addon wich needs that feature ;-)<br> <br> </font><br> <div class="moz-cite-prefix">Am 13.05.20 um 11:59 schrieb Michael Tremer:<br> </div> <blockquote type="cite" cite="mid:3479F93E-C92E-429F-AFC2-0060C11F390E@ipfire.org"> <pre class="moz-quote-pre" wrap="">By whom? </pre> <blockquote type="cite"> <pre class="moz-quote-pre" wrap="">On 13 May 2020, at 10:54, Alexander Marx <a class="moz-txt-link-rfc2396E" href="mailto:alexander.marx@ipfire.org"><alexander.marx@ipfire.org></a> wrote: very good point. This should be checked. Am 13.05.20 um 10:29 schrieb Michael Tremer: </pre> <blockquote type="cite"> <pre class="moz-quote-pre" wrap="">Hi, This solution looks a lot better to me. Do we have to restore permissions when a backup is restored, too? -Michael Reviewed-by: Michael Tremer <a class="moz-txt-link-rfc2396E" href="mailto:michael.tremer@ipfire.org"><michael.tremer@ipfire.org></a> </pre> <blockquote type="cite"> <pre class="moz-quote-pre" wrap="">On 13 May 2020, at 05:57, Alexander Marx <a class="moz-txt-link-rfc2396E" href="mailto:alexander.marx@ipfire.org"><alexander.marx@ipfire.org></a> wrote: Because other services that run as other users than nobody should be able to send mails, this patch changes the permissions from nobody.root to nobody.mail When another user wants to send mails via DMA, the user has to be put into the group "mail". FIXES: #12403 Arne: Please take care of update script, so these changes affect normal update procedure. --- lfs/dma | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lfs/dma b/lfs/dma index 6b5d9bfbf..7f0c2cc0e 100644 --- a/lfs/dma +++ b/lfs/dma @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin chown -R nobody.nobody /var/ipfire/dma - chown nobody.root /var/ipfire/dma/auth.conf - chmod 644 /var/ipfire/dma/auth.conf + chown nobody.mail /var/ipfire/dma/auth.conf ln -svf dma /usr/sbin/sendmail.dma /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 @rm -rf $(DIR_APP)
git cannot apply this patch to the next tree. Arne Am 2020-05-13 06:57, schrieb Alexander Marx: > Because other services that run as other users than nobody should be > able to send mails, this patch changes the permissions > > from > nobody.root > > to > nobody.mail > > When another user wants to send mails via DMA, the user has to be put > into the group "mail". > > FIXES: #12403 > > Arne: Please take care of update script, so these changes affect > normal update procedure. > --- > lfs/dma | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/lfs/dma b/lfs/dma > index 6b5d9bfbf..7f0c2cc0e 100644 > --- a/lfs/dma > +++ b/lfs/dma > @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > cd $(DIR_APP) && make install mailq-link install-spool-dirs > install-etc > install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin > chown -R nobody.nobody /var/ipfire/dma > - chown nobody.root /var/ipfire/dma/auth.conf > - chmod 644 /var/ipfire/dma/auth.conf > + chown nobody.mail /var/ipfire/dma/auth.conf > ln -svf dma /usr/sbin/sendmail.dma > /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail > /usr/sbin/sendmail.dma 20 > @rm -rf $(DIR_APP)
diff --git a/lfs/dma b/lfs/dma index 6b5d9bfbf..7f0c2cc0e 100644 --- a/lfs/dma +++ b/lfs/dma @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin chown -R nobody.nobody /var/ipfire/dma - chown nobody.root /var/ipfire/dma/auth.conf - chmod 644 /var/ipfire/dma/auth.conf + chown nobody.mail /var/ipfire/dma/auth.conf ln -svf dma /usr/sbin/sendmail.dma /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 @rm -rf $(DIR_APP)