FreeBSD Bugzilla – Attachment 32602 Details for
Bug 53796
Maintainer Upgade: mail/dovecot
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 13.76 KB, created by
Dominic Marks
on 2003-06-26 22:50:15 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Dominic Marks
Created:
2003-06-26 22:50:15 UTC
Size:
13.76 KB
patch
obsolete
>diff -ruN --exclude=CVS /home/dom/dovecot/Makefile /usr/ports/mail/dovecot/Makefile >--- /home/dom/dovecot/Makefile Tue Jun 24 02:06:02 2003 >+++ /usr/ports/mail/dovecot/Makefile Thu Jun 26 20:23:52 2003 >@@ -1,12 +1,12 @@ > # New ports collection makefile for: dovecot > # Date created: 12/08/2002 >-# Whom: Dominic Marks <d.marks@student.umist.ac.uk> >+# Whom: Dominic Marks <dominic.marks@btinternet.com> > # > # $FreeBSD: ports/mail/dovecot/Makefile,v 1.13 2003/06/24 01:06:02 leeym Exp $ > # > > PORTNAME= dovecot >-PORTVERSION= 0.99.9.1 >+PORTVERSION= 0.99.10 > CATEGORIES= mail ipv6 > MASTER_SITES= http://dovecot.procontrol.fi/ > >diff -ruN --exclude=CVS /home/dom/dovecot/distinfo /usr/ports/mail/dovecot/distinfo >--- /home/dom/dovecot/distinfo Sat May 3 22:50:26 2003 >+++ /usr/ports/mail/dovecot/distinfo Thu Jun 26 20:25:00 2003 >@@ -1 +1 @@ >-MD5 (dovecot-0.99.9.1.tar.gz) = d8d51af34a3467b65b20dc9d09140fbe >+MD5 (dovecot-0.99.10.tar.gz) = 26d8452366a28418cc8a114781a721b6 >diff -ruN --exclude=CVS /home/dom/dovecot/files/patch-allow-zero-gid /usr/ports/mail/dovecot/files/patch-allow-zero-gid >--- /home/dom/dovecot/files/patch-allow-zero-gid Sat May 3 22:50:26 2003 >+++ /usr/ports/mail/dovecot/files/patch-allow-zero-gid Thu Jan 1 01:00:00 1970 >@@ -1,172 +0,0 @@ >-Index: src/lib/restrict-access.c >-=================================================================== >-RCS file: /home/cvs/dovecot/src/lib/restrict-access.c,v >-retrieving revision 1.10 >-diff -u -3 -p -r1.10 restrict-access.c >---- src/lib/restrict-access.c 4 Mar 2003 04:00:13 -0000 1.10 >-+++ src/lib/restrict-access.c 15 Apr 2003 17:37:26 -0000 >-@@ -31,12 +31,14 @@ >- #include <grp.h> >- >- void restrict_access_set_env(const char *user, uid_t uid, gid_t gid, >-- const char *chroot_dir) >-+ const char *chroot_dir, int allow_zg) >- { >- if (user != NULL && *user != '\0') >- env_put(t_strconcat("RESTRICT_USER=", user, NULL)); >- if (chroot_dir != NULL && *chroot_dir != '\0') >- env_put(t_strconcat("RESTRICT_CHROOT=", chroot_dir, NULL)); >-+ if (allow_zg == TRUE) >-+ env_put(t_strdup("ALLOW_ZERO_GID=TRUE")); >- >- env_put(t_strdup_printf("RESTRICT_SETUID=%s", dec2str(uid))); >- env_put(t_strdup_printf("RESTRICT_SETGID=%s", dec2str(gid))); >-@@ -45,6 +47,7 @@ void restrict_access_set_env(const char >- void restrict_access_by_env(int disallow_root) >- { >- const char *env; >-+ int allow_zero_gid; >- gid_t gid; >- uid_t uid; >- >-@@ -97,8 +100,14 @@ void restrict_access_by_env(int disallow >- i_fatal("We couldn't drop root privileges"); >- } >- >-- if ((gid != 0 && uid != 0) || disallow_root) { >-+ /* allow users with zero group id permission for BSD */ >-+ env = getenv("ALLOW_ZERO_GID"); >-+ allow_zero_gid = env == NULL ? FALSE : TRUE; >-+ >-+ if (allow_zero_gid == FALSE && >-+ ((gid != 0 && uid != 0) || disallow_root)) { >- if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) >- i_fatal("We couldn't drop root group privileges"); >- } >-+ >- } >-Index: src/lib/restrict-access.h >-=================================================================== >-RCS file: /home/cvs/dovecot/src/lib/restrict-access.h,v >-retrieving revision 1.4 >-diff -u -3 -p -r1.4 restrict-access.h >---- src/lib/restrict-access.h 4 Mar 2003 04:00:13 -0000 1.4 >-+++ src/lib/restrict-access.h 15 Apr 2003 17:37:26 -0000 >-@@ -4,7 +4,7 @@ >- /* set environment variables so they can be read with >- restrict_access_by_env() */ >- void restrict_access_set_env(const char *user, uid_t uid, gid_t gid, >-- const char *chroot_dir); >-+ const char *chroot_dir, int allow_zg); >- >- /* chroot, setuid() and setgid() based on environment variables. >- If disallow_roots is TRUE, we'll kill ourself if we didn't have the >-Index: src/master/auth-process.c >-=================================================================== >-RCS file: /home/cvs/dovecot/src/master/auth-process.c,v >-retrieving revision 1.41 >-diff -u -3 -p -r1.41 auth-process.c >---- src/master/auth-process.c 2 Apr 2003 02:09:41 -0000 1.41 >-+++ src/master/auth-process.c 15 Apr 2003 17:37:27 -0000 >-@@ -307,7 +307,7 @@ static pid_t create_auth_process(struct >- >- /* setup access environment */ >- restrict_access_set_env(group->set->user, pwd->pw_uid, pwd->pw_gid, >-- group->set->chroot); >-+ group->set->chroot, set->allow_zero_gid); >- >- /* set other environment */ >- env_put(t_strconcat("AUTH_PROCESS=", dec2str(getpid()), NULL)); >-Index: src/master/login-process.c >-=================================================================== >-RCS file: /home/cvs/dovecot/src/master/login-process.c,v >-retrieving revision 1.40 >-diff -u -3 -p -r1.40 login-process.c >---- src/master/login-process.c 15 Apr 2003 16:58:48 -0000 1.40 >-+++ src/master/login-process.c 15 Apr 2003 17:37:27 -0000 >-@@ -384,7 +384,8 @@ static void login_process_init_env(struc >- clean_child_process() since it clears environment */ >- restrict_access_set_env(group->set->user, >- group->set->uid, set->login_gid, >-- set->login_chroot ? set->login_dir : NULL); >-+ set->login_chroot ? set->login_dir : NULL, >-+ FALSE); >- >- env_put("DOVECOT_MASTER=1"); >- >-Index: src/master/mail-process.c >-=================================================================== >-RCS file: /home/cvs/dovecot/src/master/mail-process.c,v >-retrieving revision 1.13 >-diff -u -3 -p -r1.13 mail-process.c >---- src/master/mail-process.c 15 Apr 2003 16:58:48 -0000 1.13 >-+++ src/master/mail-process.c 15 Apr 2003 17:37:28 -0000 >-@@ -25,7 +25,7 @@ static int validate_uid_gid(uid_t uid, g >- return FALSE; >- } >- >-- if (uid != 0 && gid == 0) { >-+ if (set->allow_zero_gid == FALSE && uid != 0 && gid == 0) { >- i_error("mail process isn't allowed to be in group 0"); >- return FALSE; >- } >-@@ -38,8 +38,9 @@ static int validate_uid_gid(uid_t uid, g >- return FALSE; >- } >- >-- if (gid < (gid_t)set->first_valid_gid || >-- (set->last_valid_gid != 0 && gid > (gid_t)set->last_valid_gid)) { >-+ if (set->allow_zero_gid == FALSE && >-+ (gid < (gid_t)set->first_valid_gid || >-+ (set->last_valid_gid != 0 && gid > (gid_t)set->last_valid_gid))) { >- i_error("mail process isn't allowed to use " >- "GID %s (UID is %s)", dec2str(gid), dec2str(uid)); >- return FALSE; >-@@ -150,7 +151,8 @@ int create_mail_process(int socket, stru >- (paranoia about filling up environment without noticing) */ >- restrict_access_set_env(data + reply->system_user_idx, >- reply->uid, reply->gid, >-- reply->chroot ? data + reply->home_idx : NULL); >-+ reply->chroot ? data + reply->home_idx : NULL, >-+ set->allow_zero_gid); >- >- restrict_process_size(process_size, (unsigned int)-1); >- >-Index: src/master/master-settings.c >-=================================================================== >-RCS file: /home/cvs/dovecot/src/master/master-settings.c,v >-retrieving revision 1.16 >-diff -u -3 -p -r1.16 master-settings.c >---- src/master/master-settings.c 2 Apr 2003 02:09:41 -0000 1.16 >-+++ src/master/master-settings.c 15 Apr 2003 17:37:28 -0000 >-@@ -46,6 +46,7 @@ static struct setting_def setting_defs[] >- DEF(SET_INT, max_mail_processes), >- DEF(SET_BOOL, verbose_proctitle), >- >-+ DEF(SET_BOOL, allow_zero_gid), >- DEF(SET_INT, first_valid_uid), >- DEF(SET_INT, last_valid_uid), >- DEF(SET_INT, first_valid_gid), >-@@ -153,6 +154,7 @@ struct settings default_settings = { >- MEMBER(max_mail_processes) 1024, >- MEMBER(verbose_proctitle) FALSE, >- >-+ MEMBER(allow_zero_gid) FALSE, >- MEMBER(first_valid_uid) 500, >- MEMBER(last_valid_uid) 0, >- MEMBER(first_valid_gid) 1, >-Index: src/master/master-settings.h >-=================================================================== >-RCS file: /home/cvs/dovecot/src/master/master-settings.h,v >-retrieving revision 1.10 >-diff -u -3 -p -r1.10 master-settings.h >---- src/master/master-settings.h 2 Apr 2003 02:09:41 -0000 1.10 >-+++ src/master/master-settings.h 15 Apr 2003 17:37:29 -0000 >-@@ -32,6 +32,7 @@ struct settings { >- unsigned int max_mail_processes; >- int verbose_proctitle; >- >-+ int allow_zero_gid; >- unsigned int first_valid_uid, last_valid_uid; >- unsigned int first_valid_gid, last_valid_gid; >- >diff -ruN --exclude=CVS /home/dom/dovecot/files/patch-dovecot-example.conf /usr/ports/mail/dovecot/files/patch-dovecot-example.conf >--- /home/dom/dovecot/files/patch-dovecot-example.conf Sat May 3 22:50:26 2003 >+++ /usr/ports/mail/dovecot/files/patch-dovecot-example.conf Thu Jun 26 22:37:52 2003 >@@ -1,5 +1,5 @@ >---- dovecot-example.conf.orig Fri Apr 4 13:17:25 2003 >-+++ dovecot-example.conf Sat Apr 19 14:11:40 2003 >+--- dovecot-example.conf.orig Thu Jun 26 17:11:06 2003 >++++ dovecot-example.conf Thu Jun 26 22:36:08 2003 > @@ -7,11 +7,11 @@ > # --with-ssldir=/etc/ssl > >@@ -58,9 +58,9 @@ > -#login_executable = /usr/libexec/dovecot/imap-login > +login_executable = %%PREFIX%%/libexec/dovecot/imap-login > >- # User to use for the login process. The user must belong to a group where >- # only it has access, it's used to control access for authentication process >- # named sockets. >+ # User to use for the login process. Create a completely new user for this, >+ # and don't use it anywhere else. The user must also belong to a group where >+ # only it has access, it's used to control access for authentication process. > -#login_user = dovecot > +login_user = dovecot > >@@ -95,9 +95,18 @@ > -#verbose_ssl = no > +verbose_ssl = yes > >- # Valid UID/GID ranges for users, defaults to 500 and above. This is mostly >+ # Valid UID range for users, defaults to 500 and above. This is mostly > # to make sure that users can't log in as daemons or other system users. >-@@ -160,7 +160,7 @@ >+@@ -155,7 +155,7 @@ >+ # non-valid GID as primary group ID aren't allowed to log in. If user >+ # belongs to supplementary groups with non-valid GIDs, those groups are >+ # not set. >+-#first_valid_gid = 1 >++first_valid_gid = 0 >+ #last_valid_gid = 0 >+ >+ # ':' separated list of directories under which chrooting is allowed for mail >+@@ -164,7 +164,7 @@ > # WARNING: Never add directories here which local users can modify, that > # may lead to root exploit. Usually this should be done only if you don't > # allow shell access for users. See doc/configuration.txt for more information. >@@ -106,7 +115,7 @@ > > # Default MAIL environment to use when it's not set. By leaving this empty > # dovecot tries to do some automatic detection as described in >-@@ -179,7 +179,7 @@ >+@@ -183,7 +183,7 @@ > # mbox:~/mail/:INBOX=/var/mail/%u > # mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n > # >@@ -115,7 +124,7 @@ > > # Space-separated list of fields to cache for all mails. Currently these > # fields are allowed followed by a list of commands they speed up: >-@@ -224,7 +224,7 @@ >+@@ -228,7 +228,7 @@ > # arrives in half a hour, Dovecot closes the connection. This is still > # fine, except Outlook doesn't connect back so you don't see if new mail > # arrives. >@@ -124,7 +133,7 @@ > > # Dovecot can notify client of new mail in selected mailbox soon after it's > # received. This setting specifies the minimum interval in seconds between >-@@ -249,7 +249,7 @@ >+@@ -253,7 +253,7 @@ > # Save mails with CR+LF instead of plain LF. This makes sending those mails > # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. > # But it also creates a bit more disk I/O which may just make it slower. >@@ -133,7 +142,7 @@ > > # Use mmap() instead of read() to read mail files. read() seems to be a bit > # faster with my Linux/x86 and it's better with NFS, so that's the default. >-@@ -261,7 +261,7 @@ >+@@ -265,7 +265,7 @@ > # know any MUA which would modify mail files directly. IMAP protocol also > # requires that the mails don't change, so it would be problematic in any case. > # If you care about performance, enable it. >@@ -142,7 +151,7 @@ > > # Check if mails' content has been changed by external programs. This slows > # down things as extra stat() needs to be called for each file. If changes are >-@@ -280,7 +280,7 @@ >+@@ -284,7 +284,7 @@ > # with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl > # and flock. Some operating systems don't allow using both of them > # simultaneously, eg. BSDs. If dotlock is used, it's always created first. >@@ -151,7 +160,7 @@ > > # Should we create dotlock file even when we want only a read-lock? Setting > # this to yes hurts the performance when the mailbox is accessed simultaneously >-@@ -310,7 +310,7 @@ >+@@ -314,7 +314,7 @@ > ## > > # Executable location >@@ -160,7 +169,15 @@ > > # Set max. process size in megabytes. Most of the memory goes to mmap()ing > # files, so it shouldn't harm much even if this limit is set pretty high. >-@@ -321,7 +321,7 @@ >+@@ -322,14 +322,14 @@ >+ >+ # Support for dynamically loadable modules. >+ #imap_use_modules = no >+-#imap_modules = /usr/lib/dovecot/imap >++#imap_modules = %%PREFIX%%/lib/dovecot/imap >+ >+ ## >+ ## POP3 process > ## > > # Executable location >@@ -169,7 +186,16 @@ > > # Set max. process size in megabytes. Most of the memory goes to mmap()ing > # files, so it shouldn't harm much even if this limit is set pretty high. >-@@ -374,10 +374,10 @@ >+@@ -337,7 +337,7 @@ >+ >+ # Support for dynamically loadable modules. >+ #pop3_use_modules = no >+-#pop3_modules = /usr/lib/dovecot/pop3 >++#pop3_modules = %%PREFIX%%/lib/dovecot/pop3 >+ >+ ## >+ ## Authentication processes >+@@ -386,10 +386,10 @@ > # vpopmail: vpopmail authentication > # ldap <config path>: LDAP, see doc/dovecot-ldap.conf > # pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf >@@ -182,7 +208,16 @@ > > # Set max. process size in megabytes. > #auth_process_size = 256 >-@@ -402,7 +402,7 @@ >+@@ -397,7 +397,7 @@ >+ # User to use for the process. This user needs access to only user and >+ # password databases, nothing else. Only shadow and pam authentication >+ # requires roots, so use something else if possible. >+-auth_user = root >++auth_user = dovecot >+ >+ # Directory where to chroot the process. Most authentication backends don't >+ # work if this is set, and there's no point chrooting if auth_user is root. >+@@ -418,7 +418,7 @@ > > # More verbose logging. Useful for figuring out why authentication isn't > # working.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 53796
: 32602