Attachment 32602 Details for Bug 53796 – file.diff

[patch] file.diff

file.diff (text/plain), 13.76 KB, created by Dominic Marks on 2003-06-26 22:50:15 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dominic Marks

Created: 2003-06-26 22:50:15 UTC

Size: 13.76 KB

patch

obsolete

>diff -ruN --exclude=CVS /home/dom/dovecot/Makefile /usr/ports/mail/dovecot/Makefile
>--- /home/dom/dovecot/Makefile	Tue Jun 24 02:06:02 2003
>+++ /usr/ports/mail/dovecot/Makefile	Thu Jun 26 20:23:52 2003
>@@ -1,12 +1,12 @@
> # New ports collection makefile for:	dovecot
> # Date created:				12/08/2002
>-# Whom:			Dominic Marks <d.marks@student.umist.ac.uk>
>+# Whom:			Dominic Marks <dominic.marks@btinternet.com>
> #
> # $FreeBSD: ports/mail/dovecot/Makefile,v 1.13 2003/06/24 01:06:02 leeym Exp $
> #
> 
> PORTNAME=	dovecot
>-PORTVERSION=	0.99.9.1
>+PORTVERSION=	0.99.10
> CATEGORIES=	mail ipv6
> MASTER_SITES=	http://dovecot.procontrol.fi/
> 
>diff -ruN --exclude=CVS /home/dom/dovecot/distinfo /usr/ports/mail/dovecot/distinfo
>--- /home/dom/dovecot/distinfo	Sat May  3 22:50:26 2003
>+++ /usr/ports/mail/dovecot/distinfo	Thu Jun 26 20:25:00 2003
>@@ -1 +1 @@
>-MD5 (dovecot-0.99.9.1.tar.gz) = d8d51af34a3467b65b20dc9d09140fbe
>+MD5 (dovecot-0.99.10.tar.gz) = 26d8452366a28418cc8a114781a721b6
>diff -ruN --exclude=CVS /home/dom/dovecot/files/patch-allow-zero-gid /usr/ports/mail/dovecot/files/patch-allow-zero-gid
>--- /home/dom/dovecot/files/patch-allow-zero-gid	Sat May  3 22:50:26 2003
>+++ /usr/ports/mail/dovecot/files/patch-allow-zero-gid	Thu Jan  1 01:00:00 1970
>@@ -1,172 +0,0 @@
>-Index: src/lib/restrict-access.c
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/lib/restrict-access.c,v
>-retrieving revision 1.10
>-diff -u -3 -p -r1.10 restrict-access.c
>---- src/lib/restrict-access.c	4 Mar 2003 04:00:13 -0000	1.10
>-+++ src/lib/restrict-access.c	15 Apr 2003 17:37:26 -0000
>-@@ -31,12 +31,14 @@
>- #include <grp.h>
>- 
>- void restrict_access_set_env(const char *user, uid_t uid, gid_t gid,
>--			     const char *chroot_dir)
>-+		 	     const char *chroot_dir, int allow_zg)
>- {
>- 	if (user != NULL && *user != '\0')
>- 		env_put(t_strconcat("RESTRICT_USER=", user, NULL));
>- 	if (chroot_dir != NULL && *chroot_dir != '\0')
>- 		env_put(t_strconcat("RESTRICT_CHROOT=", chroot_dir, NULL));
>-+	if (allow_zg == TRUE)
>-+		env_put(t_strdup("ALLOW_ZERO_GID=TRUE"));
>- 
>- 	env_put(t_strdup_printf("RESTRICT_SETUID=%s", dec2str(uid)));
>- 	env_put(t_strdup_printf("RESTRICT_SETGID=%s", dec2str(gid)));
>-@@ -45,6 +47,7 @@ void restrict_access_set_env(const char 
>- void restrict_access_by_env(int disallow_root)
>- {
>- 	const char *env;
>-+	int allow_zero_gid;
>- 	gid_t gid;
>- 	uid_t uid;
>- 
>-@@ -97,8 +100,14 @@ void restrict_access_by_env(int disallow
>- 			i_fatal("We couldn't drop root privileges");
>- 	}
>- 
>--	if ((gid != 0 && uid != 0) || disallow_root) {
>-+	/* allow users with zero group id permission for BSD */
>-+	env = getenv("ALLOW_ZERO_GID");
>-+	allow_zero_gid = env == NULL ? FALSE : TRUE;
>-+
>-+	if (allow_zero_gid == FALSE &&
>-+		((gid != 0 && uid != 0) || disallow_root)) {
>- 		if (getgid() == 0 || getegid() == 0 || setgid(0) == 0)
>- 			i_fatal("We couldn't drop root group privileges");
>- 	}
>-+
>- }
>-Index: src/lib/restrict-access.h
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/lib/restrict-access.h,v
>-retrieving revision 1.4
>-diff -u -3 -p -r1.4 restrict-access.h
>---- src/lib/restrict-access.h	4 Mar 2003 04:00:13 -0000	1.4
>-+++ src/lib/restrict-access.h	15 Apr 2003 17:37:26 -0000
>-@@ -4,7 +4,7 @@
>- /* set environment variables so they can be read with
>-    restrict_access_by_env() */
>- void restrict_access_set_env(const char *user, uid_t uid, gid_t gid,
>--			     const char *chroot_dir);
>-+			     const char *chroot_dir, int allow_zg);
>- 
>- /* chroot, setuid() and setgid() based on environment variables.
>-    If disallow_roots is TRUE, we'll kill ourself if we didn't have the
>-Index: src/master/auth-process.c
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/master/auth-process.c,v
>-retrieving revision 1.41
>-diff -u -3 -p -r1.41 auth-process.c
>---- src/master/auth-process.c	2 Apr 2003 02:09:41 -0000	1.41
>-+++ src/master/auth-process.c	15 Apr 2003 17:37:27 -0000
>-@@ -307,7 +307,7 @@ static pid_t create_auth_process(struct 
>- 
>- 	/* setup access environment */
>- 	restrict_access_set_env(group->set->user, pwd->pw_uid, pwd->pw_gid,
>--				group->set->chroot);
>-+				group->set->chroot, set->allow_zero_gid);
>- 
>- 	/* set other environment */
>- 	env_put(t_strconcat("AUTH_PROCESS=", dec2str(getpid()), NULL));
>-Index: src/master/login-process.c
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/master/login-process.c,v
>-retrieving revision 1.40
>-diff -u -3 -p -r1.40 login-process.c
>---- src/master/login-process.c	15 Apr 2003 16:58:48 -0000	1.40
>-+++ src/master/login-process.c	15 Apr 2003 17:37:27 -0000
>-@@ -384,7 +384,8 @@ static void login_process_init_env(struc
>- 	   clean_child_process() since it clears environment */
>- 	restrict_access_set_env(group->set->user,
>- 				group->set->uid, set->login_gid,
>--				set->login_chroot ? set->login_dir : NULL);
>-+				set->login_chroot ? set->login_dir : NULL,
>-+				FALSE);
>- 
>- 	env_put("DOVECOT_MASTER=1");
>- 
>-Index: src/master/mail-process.c
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/master/mail-process.c,v
>-retrieving revision 1.13
>-diff -u -3 -p -r1.13 mail-process.c
>---- src/master/mail-process.c	15 Apr 2003 16:58:48 -0000	1.13
>-+++ src/master/mail-process.c	15 Apr 2003 17:37:28 -0000
>-@@ -25,7 +25,7 @@ static int validate_uid_gid(uid_t uid, g
>- 		return FALSE;
>- 	}
>- 
>--	if (uid != 0 && gid == 0) {
>-+	if (set->allow_zero_gid == FALSE && uid != 0 && gid == 0) {
>- 		i_error("mail process isn't allowed to be in group 0");
>- 		return FALSE;
>- 	}
>-@@ -38,8 +38,9 @@ static int validate_uid_gid(uid_t uid, g
>- 		return FALSE;
>- 	}
>- 
>--	if (gid < (gid_t)set->first_valid_gid ||
>--	    (set->last_valid_gid != 0 && gid > (gid_t)set->last_valid_gid)) {
>-+	if (set->allow_zero_gid == FALSE &&
>-+	    (gid < (gid_t)set->first_valid_gid ||
>-+	    (set->last_valid_gid != 0 && gid > (gid_t)set->last_valid_gid))) {
>- 		i_error("mail process isn't allowed to use "
>- 			"GID %s (UID is %s)", dec2str(gid), dec2str(uid));
>- 		return FALSE;
>-@@ -150,7 +151,8 @@ int create_mail_process(int socket, stru
>- 	   (paranoia about filling up environment without noticing) */
>- 	restrict_access_set_env(data + reply->system_user_idx,
>- 				reply->uid, reply->gid,
>--				reply->chroot ? data + reply->home_idx : NULL);
>-+				reply->chroot ? data + reply->home_idx : NULL,
>-+				set->allow_zero_gid);
>- 
>- 	restrict_process_size(process_size, (unsigned int)-1);
>- 
>-Index: src/master/master-settings.c
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/master/master-settings.c,v
>-retrieving revision 1.16
>-diff -u -3 -p -r1.16 master-settings.c
>---- src/master/master-settings.c	2 Apr 2003 02:09:41 -0000	1.16
>-+++ src/master/master-settings.c	15 Apr 2003 17:37:28 -0000
>-@@ -46,6 +46,7 @@ static struct setting_def setting_defs[]
>- 	DEF(SET_INT, max_mail_processes),
>- 	DEF(SET_BOOL, verbose_proctitle),
>- 
>-+	DEF(SET_BOOL, allow_zero_gid),
>- 	DEF(SET_INT, first_valid_uid),
>- 	DEF(SET_INT, last_valid_uid),
>- 	DEF(SET_INT, first_valid_gid),
>-@@ -153,6 +154,7 @@ struct settings default_settings = {
>- 	MEMBER(max_mail_processes) 1024,
>- 	MEMBER(verbose_proctitle) FALSE,
>- 
>-+	MEMBER(allow_zero_gid) FALSE,
>- 	MEMBER(first_valid_uid) 500,
>- 	MEMBER(last_valid_uid) 0,
>- 	MEMBER(first_valid_gid) 1,
>-Index: src/master/master-settings.h
>-===================================================================
>-RCS file: /home/cvs/dovecot/src/master/master-settings.h,v
>-retrieving revision 1.10
>-diff -u -3 -p -r1.10 master-settings.h
>---- src/master/master-settings.h	2 Apr 2003 02:09:41 -0000	1.10
>-+++ src/master/master-settings.h	15 Apr 2003 17:37:29 -0000
>-@@ -32,6 +32,7 @@ struct settings {
>- 	unsigned int max_mail_processes;
>- 	int verbose_proctitle;
>- 
>-+	int allow_zero_gid;
>- 	unsigned int first_valid_uid, last_valid_uid;
>- 	unsigned int first_valid_gid, last_valid_gid;
>- 
>diff -ruN --exclude=CVS /home/dom/dovecot/files/patch-dovecot-example.conf /usr/ports/mail/dovecot/files/patch-dovecot-example.conf
>--- /home/dom/dovecot/files/patch-dovecot-example.conf	Sat May  3 22:50:26 2003
>+++ /usr/ports/mail/dovecot/files/patch-dovecot-example.conf	Thu Jun 26 22:37:52 2003
>@@ -1,5 +1,5 @@
>---- dovecot-example.conf.orig	Fri Apr  4 13:17:25 2003
>-+++ dovecot-example.conf	Sat Apr 19 14:11:40 2003
>+--- dovecot-example.conf.orig	Thu Jun 26 17:11:06 2003
>++++ dovecot-example.conf	Thu Jun 26 22:36:08 2003
> @@ -7,11 +7,11 @@
>  # --with-ssldir=/etc/ssl
>  
>@@ -58,9 +58,9 @@
> -#login_executable = /usr/libexec/dovecot/imap-login
> +login_executable = %%PREFIX%%/libexec/dovecot/imap-login
>  
>- # User to use for the login process. The user must belong to a group where
>- # only it has access, it's used to control access for authentication process
>- # named sockets.
>+ # User to use for the login process. Create a completely new user for this,
>+ # and don't use it anywhere else. The user must also belong to a group where
>+ # only it has access, it's used to control access for authentication process.
> -#login_user = dovecot
> +login_user = dovecot
>  
>@@ -95,9 +95,18 @@
> -#verbose_ssl = no
> +verbose_ssl = yes
>  
>- # Valid UID/GID ranges for users, defaults to 500 and above. This is mostly
>+ # Valid UID range for users, defaults to 500 and above. This is mostly
>  # to make sure that users can't log in as daemons or other system users.
>-@@ -160,7 +160,7 @@
>+@@ -155,7 +155,7 @@
>+ # non-valid GID as primary group ID aren't allowed to log in. If user
>+ # belongs to supplementary groups with non-valid GIDs, those groups are
>+ # not set.
>+-#first_valid_gid = 1
>++first_valid_gid = 0
>+ #last_valid_gid = 0
>+ 
>+ # ':' separated list of directories under which chrooting is allowed for mail
>+@@ -164,7 +164,7 @@
>  # WARNING: Never add directories here which local users can modify, that
>  # may lead to root exploit. Usually this should be done only if you don't
>  # allow shell access for users. See doc/configuration.txt for more information.
>@@ -106,7 +115,7 @@
>  
>  # Default MAIL environment to use when it's not set. By leaving this empty
>  # dovecot tries to do some automatic detection as described in
>-@@ -179,7 +179,7 @@
>+@@ -183,7 +183,7 @@
>  #   mbox:~/mail/:INBOX=/var/mail/%u
>  #   mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n
>  #
>@@ -115,7 +124,7 @@
>  
>  # Space-separated list of fields to cache for all mails. Currently these
>  # fields are allowed followed by a list of commands they speed up:
>-@@ -224,7 +224,7 @@
>+@@ -228,7 +228,7 @@
>  #     arrives in half a hour, Dovecot closes the connection. This is still
>  #     fine, except Outlook doesn't connect back so you don't see if new mail
>  #     arrives.
>@@ -124,7 +133,7 @@
>  
>  # Dovecot can notify client of new mail in selected mailbox soon after it's
>  # received. This setting specifies the minimum interval in seconds between
>-@@ -249,7 +249,7 @@
>+@@ -253,7 +253,7 @@
>  # Save mails with CR+LF instead of plain LF. This makes sending those mails
>  # take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
>  # But it also creates a bit more disk I/O which may just make it slower.
>@@ -133,7 +142,7 @@
>  
>  # Use mmap() instead of read() to read mail files. read() seems to be a bit
>  # faster with my Linux/x86 and it's better with NFS, so that's the default.
>-@@ -261,7 +261,7 @@
>+@@ -265,7 +265,7 @@
>  # know any MUA which would modify mail files directly. IMAP protocol also
>  # requires that the mails don't change, so it would be problematic in any case.
>  # If you care about performance, enable it.
>@@ -142,7 +151,7 @@
>  
>  # Check if mails' content has been changed by external programs. This slows
>  # down things as extra stat() needs to be called for each file. If changes are
>-@@ -280,7 +280,7 @@
>+@@ -284,7 +284,7 @@
>  # with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl
>  # and flock. Some operating systems don't allow using both of them
>  # simultaneously, eg. BSDs. If dotlock is used, it's always created first.
>@@ -151,7 +160,7 @@
>  
>  # Should we create dotlock file even when we want only a read-lock? Setting
>  # this to yes hurts the performance when the mailbox is accessed simultaneously
>-@@ -310,7 +310,7 @@
>+@@ -314,7 +314,7 @@
>  ##
>  
>  # Executable location
>@@ -160,7 +169,15 @@
>  
>  # Set max. process size in megabytes. Most of the memory goes to mmap()ing
>  # files, so it shouldn't harm much even if this limit is set pretty high.
>-@@ -321,7 +321,7 @@
>+@@ -322,14 +322,14 @@
>+ 
>+ # Support for dynamically loadable modules.
>+ #imap_use_modules = no
>+-#imap_modules = /usr/lib/dovecot/imap
>++#imap_modules = %%PREFIX%%/lib/dovecot/imap
>+ 
>+ ##
>+ ## POP3 process
>  ##
>  
>  # Executable location
>@@ -169,7 +186,16 @@
>  
>  # Set max. process size in megabytes. Most of the memory goes to mmap()ing
>  # files, so it shouldn't harm much even if this limit is set pretty high.
>-@@ -374,10 +374,10 @@
>+@@ -337,7 +337,7 @@
>+ 
>+ # Support for dynamically loadable modules.
>+ #pop3_use_modules = no
>+-#pop3_modules = /usr/lib/dovecot/pop3
>++#pop3_modules = %%PREFIX%%/lib/dovecot/pop3
>+ 
>+ ##
>+ ## Authentication processes
>+@@ -386,10 +386,10 @@
>  #   vpopmail: vpopmail authentication
>  #   ldap <config path>: LDAP, see doc/dovecot-ldap.conf
>  #   pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf
>@@ -182,7 +208,16 @@
>  
>  # Set max. process size in megabytes.
>  #auth_process_size = 256
>-@@ -402,7 +402,7 @@
>+@@ -397,7 +397,7 @@
>+ # User to use for the process. This user needs access to only user and
>+ # password databases, nothing else. Only shadow and pam authentication
>+ # requires roots, so use something else if possible.
>+-auth_user = root
>++auth_user = dovecot
>+ 
>+ # Directory where to chroot the process. Most authentication backends don't
>+ # work if this is set, and there's no point chrooting if auth_user is root.
>+@@ -418,7 +418,7 @@
>  
>  # More verbose logging. Useful for figuring out why authentication isn't
>  # working.

Actions: View | Diff

Attachments on bug 53796: 32602