diff --git a/UPDATING b/UPDATING index 8ccdcfa..e5e67ac 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,16 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20160427: + AFFECTS: Users of mail/dspam + AUTHOR: junovitch@FreeBSD.org + + dspam has been modified to no longer run as root:mail by default. + Existing configuration must be adjusted to reflect using a non-privileged + port and the /var/run/dspam directory for PID and socket files. If you + need dspam to run as root for your mail setup, you can use the SETUID + config option to enable the old insecure behavior. + 20160414: AFFECTS: Users of net-mgmt/icinga2 AUTHOR: lme@FreeBSD.org diff --git a/mail/dspam/Makefile b/mail/dspam/Makefile index 73a91cc..c1e895b 100644 --- a/mail/dspam/Makefile +++ b/mail/dspam/Makefile @@ -7,7 +7,7 @@ PORTNAME= dspam PORTVERSION= 3.10.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION} @@ -16,13 +16,16 @@ COMMENT= Bayesian spam filter LICENSE= AGPLv3 +USERS= dspam +GROUPS= dspam + OPTIONS_SUB= yes OPTIONS_DEFINE= SYSLOG DEBUG VERBOSE_DEBUG BNR_DEBUG PREF_EXT DAEMON \ CLAMAV CLAMAV_LOCAL EXTERNAL_LOOKUP \ USER_HOMEDIR TRUSTED_USERS VIRT_USERS LONG_USERNAMES \ LARGE_SCALE DOMAIN_SCALE NICESENDMAIL POSTFIX_MBC \ - QMAIL WEBUI LIGHTTPD DOCS EXAMPLES + QMAIL WEBUI LIGHTTPD DOCS EXAMPLES SETUID OPTIONS_MULTI= DB OPTIONS_MULTI_DB= HASH MYSQL MYSQL_COMPRESS MYSQL_LOCAL \ @@ -70,6 +73,7 @@ POSTFIX_MBC_DESC= Dspam as mailbox_command in Postfix QMAIL_DESC= Play nice with Qmail mail server WEBUI_DESC= Install WebUI (RUN_DEPEND on Apache/Lighttpd) LIGHTTPD_DESC= RUN_DEPEND on Lighttpd instead of Apache +SETUID_DESC= Run as root:mail with setuid (insecure) MAKE_JOBS_UNSAFE= yes USES= perl5 libtool shebangfix @@ -97,13 +101,24 @@ CONFLICTS= dspam-devel-[0-9]* SIGNATURE_LIFE?= 15 +.include + _VAR_DIR= /var + +RUN_DIR?= ${_VAR_DIR}/run/dspam + LOG_DIR?= ${_VAR_DIR}/log/dspam LOGFILE?= ${LOG_DIR}/dspam.log -DSPAM_MODE?= 4510 +.if ${PORT_OPTIONS:MSETUID} DSPAM_OWNER?= root DSPAM_GROUP?= mail +DSPAM_MODE?= 4510 +.else +DSPAM_OWNER?= ${USERS} +DSPAM_GROUP?= ${GROUPS} +DSPAM_MODE?= 0555 +.endif DSPAM_ETC?= ${LOCALBASE}/etc DSPAM_HOME?= ${_VAR_DIR}/db/dspam @@ -124,6 +139,7 @@ PLIST_SUB+= DSPAM_HOME=${DSPAM_HOME} \ CONFIGURE_ARGS+= --sysconfdir=${DSPAM_ETC} CONFIGURE_ARGS+= --with-logdir=${LOG_DIR} PLIST_SUB+= LOG_DIR=${LOG_DIR} +PLIST_SUB+= RUN_DIR=${RUN_DIR} CONFIGURE_ARGS+= --with-dspam-home=${DSPAM_HOME} CONFIGURE_ARGS+= --with-dspam-home-owner=${DSPAM_HOME_OWNER} @@ -148,7 +164,6 @@ _SED_SCRIPT= -e 's,%%DOCSDIR%%,${DOCSDIR},g' \ -e 's,%%_VAR_DIR%%,${_VAR_DIR},g' \ -e '/^%%FreeBSD/D' -.include .if ${PORT_OPTIONS:MSYSLOG} CONFIGURE_ARGS+= --enable-syslog @@ -178,6 +193,8 @@ CONFIGURE_ARGS+= --enable-daemon USE_RC_SUBR= ${PORTNAME} _SED_SCRIPT+= -e 's,%%DAEMON%%,,g' SUB_LIST+= DSPAM_HOME=${DSPAM_HOME} +SUB_LIST+= DSPAM_OWNER=${DSPAM_OWNER} +SUB_LIST+= DSPAM_GROUP=${DSPAM_GROUP} .else _SED_SCRIPT+= -e '/%%DAEMON%%/D' .endif @@ -217,15 +234,19 @@ _DBDRV:= ${_DBDRV:S/pgsql_drv,//} .if ${PORT_OPTIONS:MSQLITE3} USES+= sqlite:3 _DBDRV_COUNT:= ${_DBDRV_COUNT}o +PLIST_SUB+= SQLITE3="" .else _DBDRV:= ${_DBDRV:S/sqlite3_drv,//} +PLIST_SUB+= SQLITE3="@comment " .endif .if ${PORT_OPTIONS:MSQLITE2} USES+= sqlite:2 _DBDRV_COUNT:= ${_DBDRV_COUNT}o +PLIST_SUB+= SQLITE2="" .else _DBDRV:= ${_DBDRV:S/sqlite_drv,//} +PLIST_SUB+= SQLITE2="@comment " .endif .if ${USES:Msqlite*} @@ -246,7 +267,7 @@ PLIST_SUB+= HASH="@comment " .endif .if ${PORT_OPTIONS:MMYSQL} -USE_MYSQL= yes +USES+= mysql CONFIGURE_ARGS+= --with-mysql-includes=${LOCALBASE}/include/mysql \ --with-mysql-libraries=${LOCALBASE}/lib/mysql PLIST_SUB+= MYSQL="" @@ -255,7 +276,7 @@ _DBDRV_COUNT:= ${_DBDRV_COUNT}o CONFIGURE_ARGS+= --enable-client-compression . endif . if ${PORT_OPTIONS:MMYSQL_LOCAL} -USE_MYSQL= server +WANT_MYSQL= server SUB_LIST+= MYSQL=mysql . else SUB_LIST+= MYSQL= @@ -274,6 +295,14 @@ PLIST_SUB+= DYNAMIC="" PLIST_SUB+= DYNAMIC="@comment " .endif +.if %{PORT_OPTIONS:MSETUID} +PLIST_SUB+= SETUID="" +PLIST_SUB+= NOSETUID="@comment " +.else +PLIST_SUB+= SETUID="@comment " +PLIST_SUB+= NOSETUID="" +.endif + .if ${PORT_OPTIONS:MEXTERNAL_LOOKUP} CONFIGURE_ARGS+= --enable-external-lookup USE_OPENLDAP= YES @@ -421,6 +450,7 @@ pre-extract: @${ECHO_CMD} "DSPAM_HOME_GROUP=${DSPAM_HOME_GROUP}" @${ECHO_CMD} "DSPAM_HOME_MODE=${DSPAM_HOME_MODE} (default: 0770)" @${ECHO_CMD} "LOG_DIR=${LOG_DIR} (default: ${_VAR_DIR}/log/dspam)" + @${ECHO_CMD} "RUN_DIR=${RUN_DIR} (default: ${_VAR_DIR}/run/dspam)" . ifdef(WITHOUT_SYSLOG) @${ECHO_CMD} "LOGFILE=${LOGFILE} (default: ${_VAR_DIR}/log/dspam/dspam.log)" . endif @@ -448,24 +478,24 @@ post-patch: ${WRKSRC}/src/tools/dspam_notify.in pre-configure: -.if ${PORT_OPTIONS:MVIRT_USERS} && !( defined(USE_MYSQL) || \ +.if ${PORT_OPTIONS:MVIRT_USERS} && !( ${PORT_OPTIONS:MMYSQL} || \ ${PORT_OPTIONS:MPGSQL} || ${PORT_OPTIONS:MHASH} ) @${ECHO_CMD} "You need MySQL, POSTGRESQL or HASH for virtual users." @${FALSE} .endif -.if ${PORT_OPTIONS:MPREF_EXT} && !( defined(USE_MYSQL) || \ +.if ${PORT_OPTIONS:MPREF_EXT} && !( ${PORT_OPTIONS:MMYSQL} || \ ${PORT_OPTIONS:MPGSQL} ) @${ECHO_CMD} "You need MySQL or Postgres for preferences extension" @${FALSE} .endif -.if ${PORT_OPTIONS:MDAEMON} && !( defined(USE_MYSQL) || \ +.if ${PORT_OPTIONS:MDAEMON} && !( ${PORT_OPTIONS:MMYSQL} || \ ${PORT_OPTIONS:MPGSQL} || ${PORT_OPTIONS:MHASH} ) @${ECHO_CMD} "You need MySQL, PostgreSQL or Hash for Daemon mode, because multithreading support is needed" @${FALSE} .endif -.if ${PORT_OPTIONS:MEXTERNAL_LOOKUP} && !( defined(USE_MYSQL) || \ +.if ${PORT_OPTIONS:MEXTERNAL_LOOKUP} && !( ${PORT_OPTIONS:MMYSQL} || \ ${PORT_OPTIONS:MPGSQL} || ${PORT_OPTIONS:MSQLITE*} ) - @${ECHO_CMD} "You need MySQL, Postgres or SQLITE for EXTERNAL_LOOKUP." + @${ECHO_CMD} "You need MySQL, Postgres or SQLite for EXTERNAL_LOOKUP." @${FALSE} .endif .if ${PORT_OPTIONS:MUSER_HOMEDIR} && ${PORT_OPTIONS:MWEBUI} @@ -490,7 +520,7 @@ post-install: ${RM} -R ${STAGEDIR}${PREFIX}/lib/pkgconfig || true .if ${PORT_OPTIONS:MEXAMPLES} -.ifdef(USE_MYSQL) +.if ${PORT_OPTIONS:MMYSQL} @${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/mysql cd ${WRKSRC}/src/tools.mysql_drv && \ ${INSTALL_DATA} mysql_objects-4.1.sql \ @@ -558,7 +588,8 @@ post-install: ${INSTALL_DATA} ${_file}.sample ${STAGEDIR}${DSPAM_HOME} .endfor - @${MKDIR} -m ${DSPAM_HOME_MODE} ${STAGEDIR}${LOG_DIR} + @${MKDIR} ${STAGEDIR}${RUN_DIR} + @${MKDIR} ${STAGEDIR}${LOG_DIR} @${CAT} ${WRKSRC}/README.FreeBSD diff --git a/mail/dspam/files/UPDATING b/mail/dspam/files/UPDATING index dcc7e36..12060e0 100644 --- a/mail/dspam/files/UPDATING +++ b/mail/dspam/files/UPDATING @@ -17,6 +17,19 @@ in the port directory: make extract; more `find . -type f -maxdepth 2 -name UPGRADING` ########################################################################### +# dspam-3.10.2_2 +# + +Port Changes: +- Runs as dspam:dspam instead of root:mail [1] +- Default run directory is now /var/run/dspam [1] +- Default daemon/client communication port is now 2424 [1] +- New SETUID option to enable old insecure behavior [1] + +[1] Questionable ownership and security on mail/dspam (PR #115957) + + +########################################################################### # dspam-3.10.2 # diff --git a/mail/dspam/files/dspam.in b/mail/dspam/files/dspam.in index f6f238e..d5c6a1f 100644 --- a/mail/dspam/files/dspam.in +++ b/mail/dspam/files/dspam.in @@ -25,7 +25,9 @@ load_rc_config $name #defaults : ${dspam_enable="NO"} : ${dspam_debug="NO"} -: ${dspam_pidfile:-/var/run/dspam.pid} +: ${dspam_pidfile:-/var/run/dspam/dspam.pid} +: ${dspam_user="%%DSPAM_OWNER%%"} +: ${dspam_group="%%DSPAM_GROUP%%"} command=%%PREFIX%%/bin/${name} diff --git a/mail/dspam/files/patch-src__Makefile.in b/mail/dspam/files/patch-src__Makefile.in index d4c6c58..42e0570 100644 --- a/mail/dspam/files/patch-src__Makefile.in +++ b/mail/dspam/files/patch-src__Makefile.in @@ -1,6 +1,6 @@ ---- src/Makefile.in.orig 2014-05-14 17:35:13.000000000 -0300 -+++ src/Makefile.in 2014-05-14 17:35:48.000000000 -0300 -@@ -1117,11 +1117,11 @@ +--- src/Makefile.in.orig 2012-04-23 17:53:45 UTC ++++ src/Makefile.in +@@ -1249,11 +1249,11 @@ install-exec-hook: mkdir -p $(DESTDIR)$(sysconfdir); \ chmod 755 $(DESTDIR)$(sysconfdir); \ fi diff --git a/mail/dspam/files/patch-src__client.c b/mail/dspam/files/patch-src__client.c new file mode 100644 index 0000000..8e3339e --- /dev/null +++ b/mail/dspam/files/patch-src__client.c @@ -0,0 +1,11 @@ +--- src/client.c.orig 2012-04-11 18:48:33 UTC ++++ src/client.c +@@ -304,7 +304,7 @@ int client_connect(AGENT_CTX *ATX, int f + struct sockaddr_un saun; + int sockfd; + int yes = 1; +- int port = 24; ++ int port = 2424; + int domain = 0; + int addr_len; + char *host; diff --git a/mail/dspam/files/patch-src__daemon.c b/mail/dspam/files/patch-src__daemon.c new file mode 100644 index 0000000..5221294 --- /dev/null +++ b/mail/dspam/files/patch-src__daemon.c @@ -0,0 +1,11 @@ +--- src/daemon.c.orig 2012-04-11 18:48:33 UTC ++++ src/daemon.c +@@ -97,7 +97,7 @@ int daemon_listen(DRIVER_CTX *DTX) { + int domain = 0; /* listening on domain socket? */ + int listener; /* listener fd */ + int i; +- int port = 24, queue = 32; /* default port and queue size */ ++ int port = 2424, queue = 32; /* default port and queue size */ + + signal(SIGPIPE, SIG_IGN); + signal(SIGINT, process_signal); diff --git a/mail/dspam/files/patch-src__dspam.c b/mail/dspam/files/patch-src__dspam.c deleted file mode 100644 index 9234ef2..0000000 --- a/mail/dspam/files/patch-src__dspam.c +++ /dev/null @@ -1,11 +0,0 @@ ---- src/dspam.c.orig 2012-04-11 11:48:33.000000000 -0700 -+++ src/dspam.c 2014-09-23 19:43:09.688194417 -0700 -@@ -4194,7 +4194,7 @@ - - pidfile = _ds_read_attribute(agent_config, "ServerPID"); - if ( pidfile == NULL ) -- pidfile = "/var/run/dspam/dspam.pid"; -+ pidfile = "/var/run/dspam.pid"; - - if (pidfile) { - FILE *file; diff --git a/mail/dspam/files/patch-src__dspam.conf.in b/mail/dspam/files/patch-src__dspam.conf.in index b3c48fb..cc9897c 100644 --- a/mail/dspam/files/patch-src__dspam.conf.in +++ b/mail/dspam/files/patch-src__dspam.conf.in @@ -1,6 +1,6 @@ ---- src/dspam.conf.in.orig 2014-09-18 00:33:02.874722063 -0700 -+++ src/dspam.conf.in 2014-09-18 00:41:49.434685786 -0700 -@@ -56,6 +56,7 @@ +--- src/dspam.conf.in.orig 2012-04-11 18:48:33 UTC ++++ src/dspam.conf.in +@@ -56,6 +56,7 @@ TrustedDeliveryAgent "@delivery_agent@" # necessary if you plan on allowing untrusted processing. # #UntrustedDeliveryAgent "/usr/bin/procmail -d %u" @@ -8,7 +8,7 @@ # # SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP -@@ -350,7 +351,7 @@ +@@ -350,7 +351,7 @@ AllowOverride notifications # Storage driver settings: Specific to a particular storage driver. Uncomment # the configuration specific to your installation, if applicable. # @@ -17,7 +17,7 @@ #MySQLPort #MySQLUser dspam #MySQLPass changeme -@@ -361,7 +362,7 @@ +@@ -361,7 +362,7 @@ AllowOverride notifications # If you are using replication for clustering, you can also specify a separate # server to perform all writes to. # @@ -26,7 +26,7 @@ #MySQLWritePort #MySQLWriteUser dspam #MySQLWritePass changeme -@@ -406,7 +407,7 @@ +@@ -406,7 +407,7 @@ AllowOverride notifications # in /var/run/postgresql/.s.PGSQL.5432 specify just the path where the socket # resits (without .s.PGSQL.5432). @@ -35,12 +35,24 @@ #PgSQLPort #PgSQLUser dspam #PgSQLPass changeme -@@ -845,14 +846,14 @@ +@@ -807,9 +808,9 @@ Opt out + # interfaces. + # + #ServerHost 127.0.0.1 +-#ServerPort 24 ++#ServerPort 2424 + #ServerQueueSize 32 +-#ServerPID /var/run/dspam.pid ++#ServerPID /var/run/dspam/dspam.pid + + # + # ServerMode specifies the type of LMTP server to start. This can be one of: +@@ -845,18 +846,18 @@ Opt out # you are running the client and server on the same machine, as it eliminates # much of the bandwidth overhead. # -#ServerDomainSocketPath "/tmp/dspam.sock" -+#ServerDomainSocketPath "/var/run/dspam.sock" ++#ServerDomainSocketPath "/var/run/dspam/dspam.sock" # # Client Mode: If you are running DSPAM in client/server mode, uncomment and @@ -48,7 +60,12 @@ # a domain socket. # -#ClientHost /tmp/dspam.sock -+#ClientHost /var/run/dspam.sock ++#ClientHost /var/run/dspam/dspam.sock #ClientIdent "secret@Relay1" # #ClientHost 127.0.0.1 +-#ClientPort 24 ++#ClientPort 2424 + #ClientIdent "secret@Relay1" + + # --- RABL --- diff --git a/mail/dspam/pkg-plist b/mail/dspam/pkg-plist index 921f30f..7d541ee 100644 --- a/mail/dspam/pkg-plist +++ b/mail/dspam/pkg-plist @@ -2,7 +2,8 @@ %%HASH%%bin/csscompress %%HASH%%bin/cssconvert %%HASH%%bin/cssstat -@(%%DSPAM_OWNER%%,%%DSPAM_GROUP%%,%%DSPAM_MODE%%) bin/dspam +%%SETUID%%@(%%DSPAM_OWNER%%,%%DSPAM_GROUP%%,%%DSPAM_MODE%%) bin/dspam +%%NOSETUID%%bin/dspam bin/dspamc bin/dspam_2sql bin/dspam_admin @@ -65,10 +66,14 @@ man/man3/libdspam.3.gz %%DYNAMIC%%%%PGSQL%%lib/dspam/libpgsql_drv.so %%DYNAMIC%%%%PGSQL%%lib/dspam/libpgsql_drv.so.7 %%DYNAMIC%%%%PGSQL%%lib/dspam/libpgsql_drv.so.7.0.0 -%%DYNAMIC%%%%SQLITE%%lib/dspam/libsqlite3_drv.a -%%DYNAMIC%%%%SQLITE%%lib/dspam/libsqlite3_drv.so -%%DYNAMIC%%%%SQLITE%%lib/dspam/libsqlite3_drv.so.7 -%%DYNAMIC%%%%SQLITE%%lib/dspam/libsqlite3_drv.so.7.0.0 +%%DYNAMIC%%%%SQLITE2%%lib/dspam/libsqlite_drv.so.7.0.0 +%%DYNAMIC%%%%SQLITE2%%lib/dspam/libsqlite_drv.a +%%DYNAMIC%%%%SQLITE2%%lib/dspam/libsqlite_drv.so +%%DYNAMIC%%%%SQLITE2%%lib/dspam/libsqlite_drv.so.7 +%%DYNAMIC%%%%SQLITE3%%lib/dspam/libsqlite3_drv.a +%%DYNAMIC%%%%SQLITE3%%lib/dspam/libsqlite3_drv.so +%%DYNAMIC%%%%SQLITE3%%lib/dspam/libsqlite3_drv.so.7 +%%DYNAMIC%%%%SQLITE3%%lib/dspam/libsqlite3_drv.so.7.0.0 libdata/pkgconfig/dspam.pc %%PORTDOCS%%%%DOCSDIR%%/CHANGELOG %%PORTDOCS%%%%DOCSDIR%%/LICENSE @@ -206,8 +211,9 @@ libdata/pkgconfig/dspam.pc %%WebUI%%%%WWWDIR%%/templates/ro/nav_preferences.html %%WebUI%%%%WWWDIR%%/templates/ro/nav_quarantine.html %%WebUI%%%%WWWDIR%%/templates/ro/nav_viewmessage.html -%%DSPAM_HOME%%/firstrun.txt.sample -%%DSPAM_HOME%%/firstspam.txt.sample -%%DSPAM_HOME%%/quarantinefull.txt.sample +@(%%DSPAM_HOME_OWNER%%,%%DSPAM_HOME_GROUP%%) %%DSPAM_HOME%%/firstrun.txt.sample +@(%%DSPAM_HOME_OWNER%%,%%DSPAM_HOME_GROUP%%) %%DSPAM_HOME%%/firstspam.txt.sample +@(%%DSPAM_HOME_OWNER%%,%%DSPAM_HOME_GROUP%%) %%DSPAM_HOME%%/quarantinefull.txt.sample @dir(%%DSPAM_HOME_OWNER%%,%%DSPAM_HOME_GROUP%%,%%DSPAM_HOME_MODE%%) %%DSPAM_HOME%% -@dir(%%DSPAM_HOME_OWNER%%,%%DSPAM_HOME_GROUP%%) %%LOG_DIR%% +@dir(%%DSPAM_OWNER%%,%%DSPAM_GROUP%%) %%LOG_DIR%% +@dir(%%DSPAM_OWNER%%,%%DSPAM_GROUP%%) %%RUN_DIR%%