Attachment #68679 for bug #100897

View | Details | Raw Unified | Return to bug 100897
Collapse All | Expand All




# $FreeBSD: ports/security/courierpasswd/Makefile,v 1.2 2006/06/17 15:42:01 stefan Exp $

PORTNAME=	courierpasswd
PORTVERSION=	1.1.2
CATEGORIES=	security mail
MASTER_SITES=	http://www.arda.homeunix.net/store/


GNU_CONFIGURE=	yes
USE_GMAKE=	yes
CPPFLAGS+=	-I${LOCALBASE}/include
LDFLAGS+=	-L${LOCALBASE}/lib
CONFIGURE_ENV=	CPPFLAGS='${CPPFLAGS}' LDFLAGS='${LDFLAGS}'

MINUID?=	100

CONFIGURE_TARGET=	--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
CONFIGURE_ARGS+=	--with-minuid=${MINUID}

PLIST_FILES=	sbin/courierpasswd
MAN8=		courierpasswd.8

pre-fetch:

	@${ECHO} ""
	@${ECHO} "#############################################################"
	@${ECHO} ""

post-install:
.if !defined(NOPORTDOCS)
	${MKDIR} ${DOCSDIR}
	${INSTALL_DATA} ${WRKSRC}/AUTHORS ${DOCSDIR}
	${INSTALL_DATA} ${WRKSRC}/ChangeLog ${DOCSDIR}
	${INSTALL_DATA} ${WRKSRC}/COPYING ${DOCSDIR}
	${INSTALL_DATA} ${WRKSRC}/INSTALL ${DOCSDIR}
	${INSTALL_DATA} ${WRKSRC}/NEWS ${DOCSDIR}
	${INSTALL_DATA} ${WRKSRC}/README ${DOCSDIR}

	@${CAT} ${PKGMESSAGE}
.endif

.include <bsd.port.mk>

Lines 1-3 Link Here

(-)/usr/ports/security/courierpasswd.new/distinfo (-3 / +3 lines)
1	MD5 (courierpasswd-1.1.1.tar.gz) = b4ada51affabdf74cef1a028b9ffea5f	1	MD5 (courierpasswd-1.1.2.tar.gz) = 8eedd09643667eafea83d5559dc5a2f5
2	SHA256 (courierpasswd-1.1.1.tar.gz) = f7ba0da967ddf82cf6083604666b42dfe4dd15ccf634674e103cbf6ff3a24f15	2	SHA256 (courierpasswd-1.1.2.tar.gz) = 61005dd23fe7086b070143dd1f7678a850909a68a43f2adaa9c9615e61b94f19
3	SIZE (courierpasswd-1.1.1.tar.gz) = 288765	3	SIZE (courierpasswd-1.1.2.tar.gz) = 287202





#########################################################################
NOTES FOR RUNNING COURIERPASSWD

In order to use courierpasswd, it must be able to access the
authdaemon domain socket, named 'socket'. When courierpasswd runs as
root, this presents no problem. However, if you need to run courierpasswd
as a non-root user, you have three options, all of which require some
manual work.

Option 1: Add the user courierpasswd will run as to the group that
owns the authdaemon socket directory in /etc/group. More than one user
can be added to the group vector in this way. This arrangement works
well if courierpasswd will be run by only a small number of users.
If the authdaemon socket directory is owned by courier:courier and you
run courierpasswd as user vmail, your /etc/group file will have a line
something like this:

    courier:x:465:vmail

Option 2: Some programs, such as tcpserver, allow you to separately set
the uid and gid of programs they call but don't honour the group vector
found in /etc/group. If you invoke courierpasswd from such a program,
set the gid to the group ownership of the authdaemon socket directory.
For tcpserver, you could do something like this:

    #!/bin/sh

    QMAILUID=`/usr/bin/id -u qmaild`
    COURIERGID=`/usr/bin/id -g courier`

    exec /usr/local/bin/tcpserver -u "$QMAILUID" -g "$COURIERGID" \
    0 smtp /var/qmail/bin/qmail-smtpd /usr/local/sbin/courierpasswd -- \
    /usr/bin/true 2>&1

Option 3: Change the permissions on courierpasswd to set gid to the
group ownership of the socket directory. Again, if the socket directory
is owned by courier:courier, change the ownership and permissions
of courierpasswd like so:

    chgrp courier courierpasswd
    chmod g+s courierpasswd

Be aware that courierpasswd does not provide any max-failed-retry
functionality so it is possible for local users to perform dictionary
attacks against account passwords if courierpasswd is set up this way.

The location of the authdaemon domain socket is listed in the
authdaemonrc configuration file as the parameter authdaemonvar.

#########################################################################


Line 0 Link Here

(-)/usr/ports/security/courierpasswd.new/pkg-plist (+8 lines)
	1	sbin/courierpasswd
	2	%%PORTDOCS%%%%DOCSDIR%%/AUTHORS
	3	%%PORTDOCS%%%%DOCSDIR%%/ChangeLog
	4	%%PORTDOCS%%%%DOCSDIR%%/COPYING
	5	%%PORTDOCS%%%%DOCSDIR%%/INSTALL
	6	%%PORTDOCS%%%%DOCSDIR%%/NEWS
	7	%%PORTDOCS%%%%DOCSDIR%%/README
	8	%%PORTDOCS%%@dirrm %%DOCSDIR%%

Return to bug 100897

Lines 5-11 Link Here

(-)/usr/ports/security/courierpasswd.new/Makefile (-3 / +15 lines)
5	# $FreeBSD: ports/security/courierpasswd/Makefile,v 1.2 2006/06/17 15:42:01 stefan Exp $	5	# $FreeBSD: ports/security/courierpasswd/Makefile,v 1.2 2006/06/17 15:42:01 stefan Exp $
6		6
7	PORTNAME= courierpasswd	7	PORTNAME= courierpasswd
8	PORTVERSION= 1.1.1	8	PORTVERSION= 1.1.2
9	CATEGORIES= security mail	9	CATEGORIES= security mail
10	MASTER_SITES= http://www.arda.homeunix.net/store/	10	MASTER_SITES= http://www.arda.homeunix.net/store/
11		11
Lines 18-24 Link Here
18	GNU_CONFIGURE= yes	18	GNU_CONFIGURE= yes
19	USE_GMAKE= yes	19	USE_GMAKE= yes
20	CPPFLAGS+= -I${LOCALBASE}/include	20	CPPFLAGS+= -I${LOCALBASE}/include
21	LDFLAGS+= -L${LOCALBASE}/lib -lintl	21	LDFLAGS+= -L${LOCALBASE}/lib
22	CONFIGURE_ENV= CPPFLAGS='${CPPFLAGS}' LDFLAGS='${LDFLAGS}'	22	CONFIGURE_ENV= CPPFLAGS='${CPPFLAGS}' LDFLAGS='${LDFLAGS}'
23		23
24	MINUID?= 100	24	MINUID?= 100
Lines 26-32 Link Here
26	CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL}	26	CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
27	CONFIGURE_ARGS+= --with-minuid=${MINUID}	27	CONFIGURE_ARGS+= --with-minuid=${MINUID}
28		28
29	PLIST_FILES= sbin/courierpasswd
30	MAN8= courierpasswd.8	29	MAN8= courierpasswd.8
31		30
32	pre-fetch:	31	pre-fetch:
Lines 41-45 Link Here
41	@${ECHO} ""	40	@${ECHO} ""
42	@${ECHO} "#############################################################"	41	@${ECHO} "#############################################################"
43	@${ECHO} ""	42	@${ECHO} ""
		43
		44	post-install:
		45	.if !defined(NOPORTDOCS)
		46	${MKDIR} ${DOCSDIR}
		47	${INSTALL_DATA} ${WRKSRC}/AUTHORS ${DOCSDIR}
		48	${INSTALL_DATA} ${WRKSRC}/ChangeLog ${DOCSDIR}
		49	${INSTALL_DATA} ${WRKSRC}/COPYING ${DOCSDIR}
		50	${INSTALL_DATA} ${WRKSRC}/INSTALL ${DOCSDIR}
		51	${INSTALL_DATA} ${WRKSRC}/NEWS ${DOCSDIR}
		52	${INSTALL_DATA} ${WRKSRC}/README ${DOCSDIR}
		53
		54	@${CAT} ${PKGMESSAGE}
		55	.endif
44		56
45	.include <bsd.port.mk>	57	.include <bsd.port.mk>

Line 0 Link Here

(-)/usr/ports/security/courierpasswd.new/pkg-message (+52 lines)
	1
	2	#########################################################################
	3	NOTES FOR RUNNING COURIERPASSWD
	4
	5	In order to use courierpasswd, it must be able to access the
	6	authdaemon domain socket, named 'socket'. When courierpasswd runs as
	7	root, this presents no problem. However, if you need to run courierpasswd
	8	as a non-root user, you have three options, all of which require some
	9	manual work.
	10
	11	Option 1: Add the user courierpasswd will run as to the group that
	12	owns the authdaemon socket directory in /etc/group. More than one user
	13	can be added to the group vector in this way. This arrangement works
	14	well if courierpasswd will be run by only a small number of users.
	15	If the authdaemon socket directory is owned by courier:courier and you
	16	run courierpasswd as user vmail, your /etc/group file will have a line
	17	something like this:
	18
	19	courier:x:465:vmail
	20
	21	Option 2: Some programs, such as tcpserver, allow you to separately set
	22	the uid and gid of programs they call but don't honour the group vector
	23	found in /etc/group. If you invoke courierpasswd from such a program,
	24	set the gid to the group ownership of the authdaemon socket directory.
	25	For tcpserver, you could do something like this:
	26
	27	#!/bin/sh
	28
	29	QMAILUID=`/usr/bin/id -u qmaild`
	30	COURIERGID=`/usr/bin/id -g courier`
	31
	32	exec /usr/local/bin/tcpserver -u "$QMAILUID" -g "$COURIERGID" \
	33	0 smtp /var/qmail/bin/qmail-smtpd /usr/local/sbin/courierpasswd -- \
	34	/usr/bin/true 2>&1
	35
	36	Option 3: Change the permissions on courierpasswd to set gid to the
	37	group ownership of the socket directory. Again, if the socket directory
	38	is owned by courier:courier, change the ownership and permissions
	39	of courierpasswd like so:
	40
	41	chgrp courier courierpasswd
	42	chmod g+s courierpasswd
	43
	44	Be aware that courierpasswd does not provide any max-failed-retry
	45	functionality so it is possible for local users to perform dictionary
	46	attacks against account passwords if courierpasswd is set up this way.
	47
	48	The location of the authdaemon domain socket is listed in the
	49	authdaemonrc configuration file as the parameter authdaemonvar.
	50
	51	#########################################################################
	52