BUG12403: Change group permission of dma.conf

Message ID 20200513045741.21469-1-alexander.marx@ipfire.org
State New
Headers show
Series
  • BUG12403: Change group permission of dma.conf
Related show

Commit Message

Alexander Marx May 13, 2020, 4:57 a.m. UTC
Because other services that run as other users than nobody should be
able to send mails, this patch changes the permissions

from
nobody.root

to
nobody.mail

When another user wants to send mails via DMA, the user has to be put into the group "mail".

FIXES: #12403

Arne: Please take care of update script, so these changes affect normal update procedure.
---
 lfs/dma | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Michael Tremer May 13, 2020, 8:29 a.m. UTC | #1
Hi,

This solution looks a lot better to me.

Do we have to restore permissions when a backup is restored, too?

-Michael

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org> wrote:
> 
> Because other services that run as other users than nobody should be
> able to send mails, this patch changes the permissions
> 
> from
> nobody.root
> 
> to
> nobody.mail
> 
> When another user wants to send mails via DMA, the user has to be put into the group "mail".
> 
> FIXES: #12403
> 
> Arne: Please take care of update script, so these changes affect normal update procedure.
> ---
> lfs/dma | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/lfs/dma b/lfs/dma
> index 6b5d9bfbf..7f0c2cc0e 100644
> --- a/lfs/dma
> +++ b/lfs/dma
> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc
> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
> 	chown -R nobody.nobody /var/ipfire/dma
> -	chown nobody.root /var/ipfire/dma/auth.conf
> -	chmod 644 /var/ipfire/dma/auth.conf
> +	chown nobody.mail /var/ipfire/dma/auth.conf
> 	ln -svf dma /usr/sbin/sendmail.dma
> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
> 	@rm -rf $(DIR_APP)
> -- 
> 2.17.1
>
Alexander Marx May 13, 2020, 9:54 a.m. UTC | #2
very good point. This should be checked.


Am 13.05.20 um 10:29 schrieb Michael Tremer:
> Hi,
>
> This solution looks a lot better to me.
>
> Do we have to restore permissions when a backup is restored, too?
>
> -Michael
>
> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
>
>> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org> wrote:
>>
>> Because other services that run as other users than nobody should be
>> able to send mails, this patch changes the permissions
>>
>> from
>> nobody.root
>>
>> to
>> nobody.mail
>>
>> When another user wants to send mails via DMA, the user has to be put into the group "mail".
>>
>> FIXES: #12403
>>
>> Arne: Please take care of update script, so these changes affect normal update procedure.
>> ---
>> lfs/dma | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/lfs/dma b/lfs/dma
>> index 6b5d9bfbf..7f0c2cc0e 100644
>> --- a/lfs/dma
>> +++ b/lfs/dma
>> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> 	cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc
>> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
>> 	chown -R nobody.nobody /var/ipfire/dma
>> -	chown nobody.root /var/ipfire/dma/auth.conf
>> -	chmod 644 /var/ipfire/dma/auth.conf
>> +	chown nobody.mail /var/ipfire/dma/auth.conf
>> 	ln -svf dma /usr/sbin/sendmail.dma
>> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
>> 	@rm -rf $(DIR_APP)
>> -- 
>> 2.17.1
>>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font face="Helvetica, Arial, sans-serif">very good point. This
      should be checked.<br>
      <br>
    </font><br>
    <div class="moz-cite-prefix">Am 13.05.20 um 10:29 schrieb Michael
      Tremer:<br>
    </div>
    <blockquote type="cite"
      cite="mid:BB52E771-51FA-44B8-83BF-24BB5F7AD400@ipfire.org">
      <pre class="moz-quote-pre" wrap="">Hi,

This solution looks a lot better to me.

Do we have to restore permissions when a backup is restored, too?

-Michael

Reviewed-by: Michael Tremer <a class="moz-txt-link-rfc2396E" href="mailto:michael.tremer@ipfire.org">&lt;michael.tremer@ipfire.org&gt;</a>

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">On 13 May 2020, at 05:57, Alexander Marx <a class="moz-txt-link-rfc2396E" href="mailto:alexander.marx@ipfire.org">&lt;alexander.marx@ipfire.org&gt;</a> wrote:

Because other services that run as other users than nobody should be
able to send mails, this patch changes the permissions

from
nobody.root

to
nobody.mail

When another user wants to send mails via DMA, the user has to be put into the group "mail".

FIXES: #12403

Arne: Please take care of update script, so these changes affect normal update procedure.
---
lfs/dma | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lfs/dma b/lfs/dma
index 6b5d9bfbf..7f0c2cc0e 100644
--- a/lfs/dma
+++ b/lfs/dma
@@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
	cd $(DIR_APP) &amp;&amp; make install mailq-link install-spool-dirs install-etc
	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
	chown -R nobody.nobody /var/ipfire/dma
-	chown nobody.root /var/ipfire/dma/auth.conf
-	chmod 644 /var/ipfire/dma/auth.conf
+	chown nobody.mail /var/ipfire/dma/auth.conf
	ln -svf dma /usr/sbin/sendmail.dma
	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
	@rm -rf $(DIR_APP)
Michael Tremer May 13, 2020, 9:59 a.m. UTC | #3
By whom?

> On 13 May 2020, at 10:54, Alexander Marx <alexander.marx@ipfire.org> wrote:
> 
> very good point. This should be checked.
> 
> 
> Am 13.05.20 um 10:29 schrieb Michael Tremer:
>> Hi,
>> 
>> This solution looks a lot better to me.
>> 
>> Do we have to restore permissions when a backup is restored, too?
>> 
>> -Michael
>> 
>> Reviewed-by: Michael Tremer 
>> <michael.tremer@ipfire.org>
>> 
>> 
>> 
>>> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org>
>>>  wrote:
>>> 
>>> Because other services that run as other users than nobody should be
>>> able to send mails, this patch changes the permissions
>>> 
>>> from
>>> nobody.root
>>> 
>>> to
>>> nobody.mail
>>> 
>>> When another user wants to send mails via DMA, the user has to be put into the group "mail".
>>> 
>>> FIXES: #12403
>>> 
>>> Arne: Please take care of update script, so these changes affect normal update procedure.
>>> ---
>>> lfs/dma | 3 +--
>>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>> 
>>> diff --git a/lfs/dma b/lfs/dma
>>> index 6b5d9bfbf..7f0c2cc0e 100644
>>> --- a/lfs/dma
>>> +++ b/lfs/dma
>>> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> 	cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc
>>> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
>>> 	chown -R nobody.nobody /var/ipfire/dma
>>> -	chown nobody.root /var/ipfire/dma/auth.conf
>>> -	chmod 644 /var/ipfire/dma/auth.conf
>>> +	chown nobody.mail /var/ipfire/dma/auth.conf
>>> 	ln -svf dma /usr/sbin/sendmail.dma
>>> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
>>> 	@rm -rf $(DIR_APP)
>>> -- 
>>> 2.17.1
>>> 
>>> 
>
Alexander Marx May 13, 2020, 10:03 a.m. UTC | #4
LOL. Well, i think if Arne implements this in the next update-script, 
the backup would run automatically and then with the right permissions.

The question is if we should implement an extra check for people who 
don't upgrade their IPFire.
For this case its nearly obsolete because if they dont update, they will 
never get an addon wich needs that feature ;-)


Am 13.05.20 um 11:59 schrieb Michael Tremer:
> By whom?
>
>> On 13 May 2020, at 10:54, Alexander Marx <alexander.marx@ipfire.org> wrote:
>>
>> very good point. This should be checked.
>>
>>
>> Am 13.05.20 um 10:29 schrieb Michael Tremer:
>>> Hi,
>>>
>>> This solution looks a lot better to me.
>>>
>>> Do we have to restore permissions when a backup is restored, too?
>>>
>>> -Michael
>>>
>>> Reviewed-by: Michael Tremer
>>> <michael.tremer@ipfire.org>
>>>
>>>
>>>
>>>> On 13 May 2020, at 05:57, Alexander Marx <alexander.marx@ipfire.org>
>>>>   wrote:
>>>>
>>>> Because other services that run as other users than nobody should be
>>>> able to send mails, this patch changes the permissions
>>>>
>>>> from
>>>> nobody.root
>>>>
>>>> to
>>>> nobody.mail
>>>>
>>>> When another user wants to send mails via DMA, the user has to be put into the group "mail".
>>>>
>>>> FIXES: #12403
>>>>
>>>> Arne: Please take care of update script, so these changes affect normal update procedure.
>>>> ---
>>>> lfs/dma | 3 +--
>>>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>>>
>>>> diff --git a/lfs/dma b/lfs/dma
>>>> index 6b5d9bfbf..7f0c2cc0e 100644
>>>> --- a/lfs/dma
>>>> +++ b/lfs/dma
>>>> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>> 	cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc
>>>> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
>>>> 	chown -R nobody.nobody /var/ipfire/dma
>>>> -	chown nobody.root /var/ipfire/dma/auth.conf
>>>> -	chmod 644 /var/ipfire/dma/auth.conf
>>>> +	chown nobody.mail /var/ipfire/dma/auth.conf
>>>> 	ln -svf dma /usr/sbin/sendmail.dma
>>>> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
>>>> 	@rm -rf $(DIR_APP)
>>>> -- 
>>>> 2.17.1
>>>>
>>>>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font face="Helvetica, Arial, sans-serif">LOL. Well, i think if Arne
      implements this in the next update-script, the backup would run
      automatically and then with the right permissions.<br>
      <br>
      The question is if we should implement an extra check for people
      who don't upgrade their IPFire.<br>
      For this case its nearly obsolete because if they dont update,
      they will never get an addon wich needs that feature ;-)<br>
      <br>
    </font><br>
    <div class="moz-cite-prefix">Am 13.05.20 um 11:59 schrieb Michael
      Tremer:<br>
    </div>
    <blockquote type="cite"
      cite="mid:3479F93E-C92E-429F-AFC2-0060C11F390E@ipfire.org">
      <pre class="moz-quote-pre" wrap="">By whom?

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">On 13 May 2020, at 10:54, Alexander Marx <a class="moz-txt-link-rfc2396E" href="mailto:alexander.marx@ipfire.org">&lt;alexander.marx@ipfire.org&gt;</a> wrote:

very good point. This should be checked.


Am 13.05.20 um 10:29 schrieb Michael Tremer:
</pre>
        <blockquote type="cite">
          <pre class="moz-quote-pre" wrap="">Hi,

This solution looks a lot better to me.

Do we have to restore permissions when a backup is restored, too?

-Michael

Reviewed-by: Michael Tremer 
<a class="moz-txt-link-rfc2396E" href="mailto:michael.tremer@ipfire.org">&lt;michael.tremer@ipfire.org&gt;</a>



</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">On 13 May 2020, at 05:57, Alexander Marx <a class="moz-txt-link-rfc2396E" href="mailto:alexander.marx@ipfire.org">&lt;alexander.marx@ipfire.org&gt;</a>
 wrote:

Because other services that run as other users than nobody should be
able to send mails, this patch changes the permissions

from
nobody.root

to
nobody.mail

When another user wants to send mails via DMA, the user has to be put into the group "mail".

FIXES: #12403

Arne: Please take care of update script, so these changes affect normal update procedure.
---
lfs/dma | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lfs/dma b/lfs/dma
index 6b5d9bfbf..7f0c2cc0e 100644
--- a/lfs/dma
+++ b/lfs/dma
@@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
	cd $(DIR_APP) &amp;&amp; make install mailq-link install-spool-dirs install-etc
	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
	chown -R nobody.nobody /var/ipfire/dma
-	chown nobody.root /var/ipfire/dma/auth.conf
-	chmod 644 /var/ipfire/dma/auth.conf
+	chown nobody.mail /var/ipfire/dma/auth.conf
	ln -svf dma /usr/sbin/sendmail.dma
	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
	@rm -rf $(DIR_APP)
Arne Fitzenreiter May 18, 2020, 8:25 p.m. UTC | #5
git cannot apply this patch to the next tree.

Arne


Am 2020-05-13 06:57, schrieb Alexander Marx:
> Because other services that run as other users than nobody should be
> able to send mails, this patch changes the permissions
> 
> from
> nobody.root
> 
> to
> nobody.mail
> 
> When another user wants to send mails via DMA, the user has to be put
> into the group "mail".
> 
> FIXES: #12403
> 
> Arne: Please take care of update script, so these changes affect
> normal update procedure.
> ---
>  lfs/dma | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/lfs/dma b/lfs/dma
> index 6b5d9bfbf..7f0c2cc0e 100644
> --- a/lfs/dma
> +++ b/lfs/dma
> @@ -79,8 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	cd $(DIR_APP) && make install mailq-link install-spool-dirs 
> install-etc
>  	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
>  	chown -R nobody.nobody /var/ipfire/dma
> -	chown nobody.root /var/ipfire/dma/auth.conf
> -	chmod 644 /var/ipfire/dma/auth.conf
> +	chown nobody.mail /var/ipfire/dma/auth.conf
>  	ln -svf dma /usr/sbin/sendmail.dma
>  	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail
> /usr/sbin/sendmail.dma 20
>  	@rm -rf $(DIR_APP)

Patch

diff --git a/lfs/dma b/lfs/dma
index 6b5d9bfbf..7f0c2cc0e 100644
--- a/lfs/dma
+++ b/lfs/dma
@@ -79,8 +79,7 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make install mailq-link install-spool-dirs install-etc
 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
 	chown -R nobody.nobody /var/ipfire/dma
-	chown nobody.root /var/ipfire/dma/auth.conf
-	chmod 644 /var/ipfire/dma/auth.conf
+	chown nobody.mail /var/ipfire/dma/auth.conf
 	ln -svf dma /usr/sbin/sendmail.dma
 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
 	@rm -rf $(DIR_APP)