Date: Thu, 26 Jun 2003 22:42:44 +0100 (BST) From: Dominic Marks <dominic.marks@btinternet.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/53796: Maintainer Upgade: mail/dovecot Message-ID: <200306262142.h5QLgifO060495@cus.org.uk> Resent-Message-ID: <200306262150.h5QLoGbK056946@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 53796 >Category: ports >Synopsis: Maintainer Upgade: mail/dovecot >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Jun 26 14:50:15 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Dominic Marks >Release: FreeBSD 4.7-STABLE i386 >Organization: >Environment: System: FreeBSD moo.cus.org.uk 4.7-STABLE FreeBSD 4.7-STABLE #4: Wed Apr 16 15:13:46 BST 2003 root@moo.cus.org.uk:/usr/obj/usr/src/sys/BAA i386 >Description: mail/dovecot 0.99.9.1 -> 0.99.10 >How-To-Repeat: NA >Fix: diff -ruN --exclude=CVS /home/dom/dovecot/Makefile /usr/ports/mail/dovecot/Makefile --- /home/dom/dovecot/Makefile Tue Jun 24 02:06:02 2003 +++ /usr/ports/mail/dovecot/Makefile Thu Jun 26 20:23:52 2003 @@ -1,12 +1,12 @@ # New ports collection makefile for: dovecot # Date created: 12/08/2002 -# Whom: Dominic Marks <d.marks@student.umist.ac.uk> +# Whom: Dominic Marks <dominic.marks@btinternet.com> # # $FreeBSD: ports/mail/dovecot/Makefile,v 1.13 2003/06/24 01:06:02 leeym Exp $ # PORTNAME= dovecot -PORTVERSION= 0.99.9.1 +PORTVERSION= 0.99.10 CATEGORIES= mail ipv6 MASTER_SITES= http://dovecot.procontrol.fi/ diff -ruN --exclude=CVS /home/dom/dovecot/distinfo /usr/ports/mail/dovecot/distinfo --- /home/dom/dovecot/distinfo Sat May 3 22:50:26 2003 +++ /usr/ports/mail/dovecot/distinfo Thu Jun 26 20:25:00 2003 @@ -1 +1 @@ -MD5 (dovecot-0.99.9.1.tar.gz) = d8d51af34a3467b65b20dc9d09140fbe +MD5 (dovecot-0.99.10.tar.gz) = 26d8452366a28418cc8a114781a721b6 diff -ruN --exclude=CVS /home/dom/dovecot/files/patch-allow-zero-gid /usr/ports/mail/dovecot/files/patch-allow-zero-gid --- /home/dom/dovecot/files/patch-allow-zero-gid Sat May 3 22:50:26 2003 +++ /usr/ports/mail/dovecot/files/patch-allow-zero-gid Thu Jan 1 01:00:00 1970 @@ -1,172 +0,0 @@ -Index: src/lib/restrict-access.c -=================================================================== -RCS file: /home/cvs/dovecot/src/lib/restrict-access.c,v -retrieving revision 1.10 -diff -u -3 -p -r1.10 restrict-access.c ---- src/lib/restrict-access.c 4 Mar 2003 04:00:13 -0000 1.10 -+++ src/lib/restrict-access.c 15 Apr 2003 17:37:26 -0000 -@@ -31,12 +31,14 @@ - #include <grp.h> - - void restrict_access_set_env(const char *user, uid_t uid, gid_t gid, -- const char *chroot_dir) -+ const char *chroot_dir, int allow_zg) - { - if (user != NULL && *user != '\0') - env_put(t_strconcat("RESTRICT_USER=", user, NULL)); - if (chroot_dir != NULL && *chroot_dir != '\0') - env_put(t_strconcat("RESTRICT_CHROOT=", chroot_dir, NULL)); -+ if (allow_zg == TRUE) -+ env_put(t_strdup("ALLOW_ZERO_GID=TRUE")); - - env_put(t_strdup_printf("RESTRICT_SETUID=%s", dec2str(uid))); - env_put(t_strdup_printf("RESTRICT_SETGID=%s", dec2str(gid))); -@@ -45,6 +47,7 @@ void restrict_access_set_env(const char - void restrict_access_by_env(int disallow_root) - { - const char *env; -+ int allow_zero_gid; - gid_t gid; - uid_t uid; - -@@ -97,8 +100,14 @@ void restrict_access_by_env(int disallow - i_fatal("We couldn't drop root privileges"); - } - -- if ((gid != 0 && uid != 0) || disallow_root) { -+ /* allow users with zero group id permission for BSD */ -+ env = getenv("ALLOW_ZERO_GID"); -+ allow_zero_gid = env == NULL ? FALSE : TRUE; -+ -+ if (allow_zero_gid == FALSE && -+ ((gid != 0 && uid != 0) || disallow_root)) { - if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) - i_fatal("We couldn't drop root group privileges"); - } -+ - } -Index: src/lib/restrict-access.h -=================================================================== -RCS file: /home/cvs/dovecot/src/lib/restrict-access.h,v -retrieving revision 1.4 -diff -u -3 -p -r1.4 restrict-access.h ---- src/lib/restrict-access.h 4 Mar 2003 04:00:13 -0000 1.4 -+++ src/lib/restrict-access.h 15 Apr 2003 17:37:26 -0000 -@@ -4,7 +4,7 @@ - /* set environment variables so they can be read with - restrict_access_by_env() */ - void restrict_access_set_env(const char *user, uid_t uid, gid_t gid, -- const char *chroot_dir); -+ const char *chroot_dir, int allow_zg); - - /* chroot, setuid() and setgid() based on environment variables. - If disallow_roots is TRUE, we'll kill ourself if we didn't have the -Index: src/master/auth-process.c -=================================================================== -RCS file: /home/cvs/dovecot/src/master/auth-process.c,v -retrieving revision 1.41 -diff -u -3 -p -r1.41 auth-process.c ---- src/master/auth-process.c 2 Apr 2003 02:09:41 -0000 1.41 -+++ src/master/auth-process.c 15 Apr 2003 17:37:27 -0000 -@@ -307,7 +307,7 @@ static pid_t create_auth_process(struct - - /* setup access environment */ - restrict_access_set_env(group->set->user, pwd->pw_uid, pwd->pw_gid, -- group->set->chroot); -+ group->set->chroot, set->allow_zero_gid); - - /* set other environment */ - env_put(t_strconcat("AUTH_PROCESS=", dec2str(getpid()), NULL)); -Index: src/master/login-process.c -=================================================================== -RCS file: /home/cvs/dovecot/src/master/login-process.c,v -retrieving revision 1.40 -diff -u -3 -p -r1.40 login-process.c ---- src/master/login-process.c 15 Apr 2003 16:58:48 -0000 1.40 -+++ src/master/login-process.c 15 Apr 2003 17:37:27 -0000 -@@ -384,7 +384,8 @@ static void login_process_init_env(struc - clean_child_process() since it clears environment */ - restrict_access_set_env(group->set->user, - group->set->uid, set->login_gid, -- set->login_chroot ? set->login_dir : NULL); -+ set->login_chroot ? set->login_dir : NULL, -+ FALSE); - - env_put("DOVECOT_MASTER=1"); - -Index: src/master/mail-process.c -=================================================================== -RCS file: /home/cvs/dovecot/src/master/mail-process.c,v -retrieving revision 1.13 -diff -u -3 -p -r1.13 mail-process.c ---- src/master/mail-process.c 15 Apr 2003 16:58:48 -0000 1.13 -+++ src/master/mail-process.c 15 Apr 2003 17:37:28 -0000 -@@ -25,7 +25,7 @@ static int validate_uid_gid(uid_t uid, g - return FALSE; - } - -- if (uid != 0 && gid == 0) { -+ if (set->allow_zero_gid == FALSE && uid != 0 && gid == 0) { - i_error("mail process isn't allowed to be in group 0"); - return FALSE; - } -@@ -38,8 +38,9 @@ static int validate_uid_gid(uid_t uid, g - return FALSE; - } - -- if (gid < (gid_t)set->first_valid_gid || -- (set->last_valid_gid != 0 && gid > (gid_t)set->last_valid_gid)) { -+ if (set->allow_zero_gid == FALSE && -+ (gid < (gid_t)set->first_valid_gid || -+ (set->last_valid_gid != 0 && gid > (gid_t)set->last_valid_gid))) { - i_error("mail process isn't allowed to use " - "GID %s (UID is %s)", dec2str(gid), dec2str(uid)); - return FALSE; -@@ -150,7 +151,8 @@ int create_mail_process(int socket, stru - (paranoia about filling up environment without noticing) */ - restrict_access_set_env(data + reply->system_user_idx, - reply->uid, reply->gid, -- reply->chroot ? data + reply->home_idx : NULL); -+ reply->chroot ? data + reply->home_idx : NULL, -+ set->allow_zero_gid); - - restrict_process_size(process_size, (unsigned int)-1); - -Index: src/master/master-settings.c -=================================================================== -RCS file: /home/cvs/dovecot/src/master/master-settings.c,v -retrieving revision 1.16 -diff -u -3 -p -r1.16 master-settings.c ---- src/master/master-settings.c 2 Apr 2003 02:09:41 -0000 1.16 -+++ src/master/master-settings.c 15 Apr 2003 17:37:28 -0000 -@@ -46,6 +46,7 @@ static struct setting_def setting_defs[] - DEF(SET_INT, max_mail_processes), - DEF(SET_BOOL, verbose_proctitle), - -+ DEF(SET_BOOL, allow_zero_gid), - DEF(SET_INT, first_valid_uid), - DEF(SET_INT, last_valid_uid), - DEF(SET_INT, first_valid_gid), -@@ -153,6 +154,7 @@ struct settings default_settings = { - MEMBER(max_mail_processes) 1024, - MEMBER(verbose_proctitle) FALSE, - -+ MEMBER(allow_zero_gid) FALSE, - MEMBER(first_valid_uid) 500, - MEMBER(last_valid_uid) 0, - MEMBER(first_valid_gid) 1, -Index: src/master/master-settings.h -=================================================================== -RCS file: /home/cvs/dovecot/src/master/master-settings.h,v -retrieving revision 1.10 -diff -u -3 -p -r1.10 master-settings.h ---- src/master/master-settings.h 2 Apr 2003 02:09:41 -0000 1.10 -+++ src/master/master-settings.h 15 Apr 2003 17:37:29 -0000 -@@ -32,6 +32,7 @@ struct settings { - unsigned int max_mail_processes; - int verbose_proctitle; - -+ int allow_zero_gid; - unsigned int first_valid_uid, last_valid_uid; - unsigned int first_valid_gid, last_valid_gid; - diff -ruN --exclude=CVS /home/dom/dovecot/files/patch-dovecot-example.conf /usr/ports/mail/dovecot/files/patch-dovecot-example.conf --- /home/dom/dovecot/files/patch-dovecot-example.conf Sat May 3 22:50:26 2003 +++ /usr/ports/mail/dovecot/files/patch-dovecot-example.conf Thu Jun 26 22:37:52 2003 @@ -1,5 +1,5 @@ ---- dovecot-example.conf.orig Fri Apr 4 13:17:25 2003 -+++ dovecot-example.conf Sat Apr 19 14:11:40 2003 +--- dovecot-example.conf.orig Thu Jun 26 17:11:06 2003 ++++ dovecot-example.conf Thu Jun 26 22:36:08 2003 @@ -7,11 +7,11 @@ # --with-ssldir=/etc/ssl @@ -58,9 +58,9 @@ -#login_executable = /usr/libexec/dovecot/imap-login +login_executable = %%PREFIX%%/libexec/dovecot/imap-login - # User to use for the login process. The user must belong to a group where - # only it has access, it's used to control access for authentication process - # named sockets. + # User to use for the login process. Create a completely new user for this, + # and don't use it anywhere else. The user must also belong to a group where + # only it has access, it's used to control access for authentication process. -#login_user = dovecot +login_user = dovecot @@ -95,9 +95,18 @@ -#verbose_ssl = no +verbose_ssl = yes - # Valid UID/GID ranges for users, defaults to 500 and above. This is mostly + # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. -@@ -160,7 +160,7 @@ +@@ -155,7 +155,7 @@ + # non-valid GID as primary group ID aren't allowed to log in. If user + # belongs to supplementary groups with non-valid GIDs, those groups are + # not set. +-#first_valid_gid = 1 ++first_valid_gid = 0 + #last_valid_gid = 0 + + # ':' separated list of directories under which chrooting is allowed for mail +@@ -164,7 +164,7 @@ # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. See doc/configuration.txt for more information. @@ -106,7 +115,7 @@ # Default MAIL environment to use when it's not set. By leaving this empty # dovecot tries to do some automatic detection as described in -@@ -179,7 +179,7 @@ +@@ -183,7 +183,7 @@ # mbox:~/mail/:INBOX=/var/mail/%u # mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n # @@ -115,7 +124,7 @@ # Space-separated list of fields to cache for all mails. Currently these # fields are allowed followed by a list of commands they speed up: -@@ -224,7 +224,7 @@ +@@ -228,7 +228,7 @@ # arrives in half a hour, Dovecot closes the connection. This is still # fine, except Outlook doesn't connect back so you don't see if new mail # arrives. @@ -124,7 +133,7 @@ # Dovecot can notify client of new mail in selected mailbox soon after it's # received. This setting specifies the minimum interval in seconds between -@@ -249,7 +249,7 @@ +@@ -253,7 +253,7 @@ # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. @@ -133,7 +142,7 @@ # Use mmap() instead of read() to read mail files. read() seems to be a bit # faster with my Linux/x86 and it's better with NFS, so that's the default. -@@ -261,7 +261,7 @@ +@@ -265,7 +265,7 @@ # know any MUA which would modify mail files directly. IMAP protocol also # requires that the mails don't change, so it would be problematic in any case. # If you care about performance, enable it. @@ -142,7 +151,7 @@ # Check if mails' content has been changed by external programs. This slows # down things as extra stat() needs to be called for each file. If changes are -@@ -280,7 +280,7 @@ +@@ -284,7 +284,7 @@ # with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl # and flock. Some operating systems don't allow using both of them # simultaneously, eg. BSDs. If dotlock is used, it's always created first. @@ -151,7 +160,7 @@ # Should we create dotlock file even when we want only a read-lock? Setting # this to yes hurts the performance when the mailbox is accessed simultaneously -@@ -310,7 +310,7 @@ +@@ -314,7 +314,7 @@ ## # Executable location @@ -160,7 +169,15 @@ # Set max. process size in megabytes. Most of the memory goes to mmap()ing # files, so it shouldn't harm much even if this limit is set pretty high. -@@ -321,7 +321,7 @@ +@@ -322,14 +322,14 @@ + + # Support for dynamically loadable modules. + #imap_use_modules = no +-#imap_modules = /usr/lib/dovecot/imap ++#imap_modules = %%PREFIX%%/lib/dovecot/imap + + ## + ## POP3 process ## # Executable location @@ -169,7 +186,16 @@ # Set max. process size in megabytes. Most of the memory goes to mmap()ing # files, so it shouldn't harm much even if this limit is set pretty high. -@@ -374,10 +374,10 @@ +@@ -337,7 +337,7 @@ + + # Support for dynamically loadable modules. + #pop3_use_modules = no +-#pop3_modules = /usr/lib/dovecot/pop3 ++#pop3_modules = %%PREFIX%%/lib/dovecot/pop3 + + ## + ## Authentication processes +@@ -386,10 +386,10 @@ # vpopmail: vpopmail authentication # ldap <config path>: LDAP, see doc/dovecot-ldap.conf # pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf @@ -182,7 +208,16 @@ # Set max. process size in megabytes. #auth_process_size = 256 -@@ -402,7 +402,7 @@ +@@ -397,7 +397,7 @@ + # User to use for the process. This user needs access to only user and + # password databases, nothing else. Only shadow and pam authentication + # requires roots, so use something else if possible. +-auth_user = root ++auth_user = dovecot + + # Directory where to chroot the process. Most authentication backends don't + # work if this is set, and there's no point chrooting if auth_user is root. +@@ -418,7 +418,7 @@ # More verbose logging. Useful for figuring out why authentication isn't # working. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306262142.h5QLgifO060495>