rpms/spamass-milter/EL-5 spamass-milter-0.3.1-group.patch, NONE, 1.1 spamass-milter-0.3.1-popen.patch, NONE, 1.1 spamass-milter-0.3.1-prototype.patch, NONE, 1.1 spamass-milter-0.3.1-rcvd.patch, NONE, 1.1 spamass-milter.README.Postfix, NONE, 1.1 .cvsignore, 1.3, 1.4 sources, 1.3, 1.4 spamass-milter.spec, 1.11, 1.12 spamass-milter.sysconfig, 1.1, 1.2 spamass-milter.sysv, 1.1, 1.2
Paul Howarth
pghmcfc at fedoraproject.org
Mon Mar 22 16:14:49 UTC 2010
- Previous message: rpms/spamass-milter/EL-4 spamass-milter-0.3.1-group.patch, NONE, 1.1 spamass-milter-0.3.1-popen.patch, NONE, 1.1 spamass-milter-0.3.1-prototype.patch, NONE, 1.1 spamass-milter-0.3.1-rcvd.patch, NONE, 1.1 spamass-milter.README.Postfix, NONE, 1.1 .cvsignore, 1.3, 1.4 sources, 1.3, 1.4 spamass-milter.spec, 1.9, 1.10 spamass-milter.sysconfig, 1.1, 1.2 spamass-milter.sysv, 1.1, 1.2
- Next message: rpms/spamass-milter/F-11 spamass-milter-0.3.1-popen.patch, NONE, 1.1 spamass-milter-0.3.1-prototype.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 sources, 1.3, 1.4 spamass-milter-0.3.1-authuser.patch, 1.1, 1.2 spamass-milter-0.3.1-bits.patch, 1.1, 1.2 spamass-milter.spec, 1.20, 1.21 spamass-milter.sysconfig, 1.1, 1.2 spamass-milter.sysv, 1.4, 1.5 spamass-milter-0.3.1-macros.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pghmcfc
Update of /cvs/pkgs/rpms/spamass-milter/EL-5
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv22929/EL-5
Modified Files:
.cvsignore sources spamass-milter.spec
spamass-milter.sysconfig spamass-milter.sysv
Added Files:
spamass-milter-0.3.1-group.patch
spamass-milter-0.3.1-popen.patch
spamass-milter-0.3.1-prototype.patch
spamass-milter-0.3.1-rcvd.patch spamass-milter.README.Postfix
Log Message:
* Fri Mar 12 2010 Paul Howarth <paul at city-fan.org> 0.3.1-17
- Update initscript to support running the milter as root, which is needed
for the -x (expand aliases) option; note that the milter does not run as
root by default
- Add patch for popen unsanitized input vulnerability
(#572117, #572119, https://savannah.nongnu.org/bugs/?29136)
- Rebase authuser patch
- Update patch adding auth info to dummy Received-header so that it doesn't
generate spurious warnings about missing macros (#532266), and update and
merge the macro documentation patch into this patch
- Document patch usage in spec file
spamass-milter-0.3.1-group.patch:
spamass-milter.1.in | 7 +++++++
spamass-milter.cpp | 31 ++++++++++++++++++++++++++++++-
2 files changed, 37 insertions(+), 1 deletion(-)
--- NEW FILE spamass-milter-0.3.1-group.patch ---
--- spamass-milter-0.3.1/spamass-milter.cpp.group 2006-03-23 22:41:36.000000000 +0100
+++ spamass-milter-0.3.1/spamass-milter.cpp 2008-06-19 18:04:05.000000000 +0200
@@ -89,6 +89,8 @@
#endif
#include <errno.h>
+#include <grp.h>
+
// C++ includes
#include <cstdio>
#include <cstddef>
@@ -181,8 +183,9 @@
main(int argc, char* argv[])
{
int c, err = 0;
- const char *args = "fd:mMp:P:r:u:D:i:b:B:e:x";
+ const char *args = "fd:mMp:P:r:u:D:i:b:B:e:xg:";
char *sock = NULL;
+ char *group = NULL;
bool dofork = false;
char *pidfilename = NULL;
FILE *pidfile = NULL;
@@ -225,6 +228,9 @@
case 'p':
sock = strdup(optarg);
break;
+ case 'g':
+ group = strdup(optarg);
+ break;
case 'P':
pidfilename = strdup(optarg);
break;
@@ -284,6 +290,7 @@
cout << " [-P pidfile] [-r nn] [-u defaultuser] [-x]" << endl;
cout << " [-- spamc args ]" << endl;
cout << " -p socket: path to create socket" << endl;
+ cout << " -g group: socket group (perms to 750 as well)" << endl;
cout << " -b bucket: redirect spam to this mail address. The orignal" << endl;
cout << " recipient(s) will not receive anything." << endl;
cout << " -B bucket: add this mail address as a BCC recipient of spam." << endl;
@@ -350,6 +357,28 @@
} else {
debug(D_MISC, "smfi_register succeeded");
}
+
+ if(group) {
+ struct group *gr;
+
+ (void) smfi_opensocket(0);
+ gr = getgrnam(group);
+ if(gr) {
+ int rc;
+ rc = chown(sock, (uid_t)-1, gr->gr_gid);
+ if(! rc) {
+ (void) chmod(sock, 0660);
+ } else {
+ perror("group option, chmod");
+ exit(EX_NOPERM);
+ }
+ } else {
+ perror("group option, getgrnam");
+ exit(EX_NOUSER);
+ }
+ }
+
+
debug(D_ALWAYS, "spamass-milter %s starting", PACKAGE_VERSION);
err = smfi_main();
debug(D_ALWAYS, "spamass-milter %s exiting", PACKAGE_VERSION);
--- spamass-milter-0.3.1/spamass-milter.1.in.group 2008-07-03 14:11:46.000000000 +0100
+++ spamass-milter-0.3.1/spamass-milter.1.in 2008-07-03 14:18:17.000000000 +0100
@@ -13,6 +13,7 @@
.Op Fl D Ar host
.Op Fl e Ar defaultdomain
.Op Fl f
+.Op Fl g Ar group
.Op Fl i Ar networks
.Op Fl m
.Op Fl M
@@ -107,6 +108,12 @@
Causes
.Nm
to fork into the background.
+.It Fl g Ar group
+Makes the socket for communication with the MTA group-writable (mode 0750)
+and sets the socket's group to
+.Ar group .
+This option is intended for use with MTA's like Postfix that do not run as
+root, and is incompatible with Sendmail usage.
.It Fl i Ar networks
Ignores messages if the originating IP is in the network(s) listed.
The message will be passed through without calling SpamAssassin at all.
spamass-milter-0.3.1-popen.patch:
spamass-milter.cpp | 162 +++++++++++++++++++++++++++--------------------------
spamass-milter.h | 1
2 files changed, 86 insertions(+), 77 deletions(-)
--- NEW FILE spamass-milter-0.3.1-popen.patch ---
Index: spamass-milter.cpp
===================================================================
RCS file: /cvsroot/spamass-milt/spamass-milt/spamass-milter.cpp,v
retrieving revision 1.91
diff -u -r1.91 spamass-milter.cpp
--- spamass-milter.cpp 24 Jul 2006 19:59:17 -0000 1.91
+++ spamass-milter.cpp 10 Mar 2010 18:52:22 -0000
@@ -171,10 +171,6 @@
bool flag_expand = false; /* alias/virtusertable expansion */
bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */
-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
-static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER;
-#endif
-
// {{{ main()
int
@@ -461,59 +457,24 @@
send another copy. The milter API will not let you send the
message AND return a failure code to the sender, so this is
the only way to do it. */
-#if defined(__FreeBSD__)
- int rv;
-#endif
-
-#if defined(HAVE_ASPRINTF)
- char *buf;
-#else
- char buf[1024];
-#endif
- char *fmt="%s \"%s\"";
+ char *popen_argv[3];
FILE *p;
-#if defined(HAVE_ASPRINTF)
- asprintf(&buf, fmt, SENDMAIL, spambucket);
-#else
-#if defined(HAVE_SNPRINTF)
- snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket);
-#else
- /* XXX possible buffer overflow here */
- sprintf(buf, fmt, SENDMAIL, spambucket);
-#endif
-#endif
-
- debug(D_COPY, "calling %s", buf);
-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
- rv = pthread_mutex_lock(&popen_mutex);
- if (rv)
- {
- debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
- abort();
- }
-#endif
- p = popen(buf, "w");
+ popen_argv[0] = SENDMAIL;
+ popen_argv[1] = spambucket;
+ popen_argv[2] = NULL;
+
+ debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
+ p = popenv(popen_argv, "w");
if (!p)
{
- debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno));
+ debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno));
} else
{
// Send message provided by SpamAssassin
fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
- pclose(p); p = NULL;
+ fclose(p); p = NULL;
}
-#if defined(__FreeBSD__)
- rv = pthread_mutex_unlock(&popen_mutex);
- if (rv)
- {
- debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
- abort();
- }
-#endif
-#if defined(HAVE_ASPRINTF)
- free(buf);
-#endif
}
return SMFIS_REJECT;
}
@@ -842,30 +803,19 @@
/* open a pipe to sendmail so we can do address expansion */
char buf[1024];
- char *fmt="%s -bv \"%s\" 2>&1";
-
-#if defined(HAVE_SNPRINTF)
- snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
-#else
- /* XXX possible buffer overflow here */
- sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
-#endif
+ char *popen_argv[4];
+
+ popen_argv[0] = SENDMAIL;
+ popen_argv[1] = "-bv";
+ popen_argv[2] = envrcpt[0];
+ popen_argv[3] = NULL;
- debug(D_RCPT, "calling %s", buf);
+ debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
- rv = pthread_mutex_lock(&popen_mutex);
- if (rv)
- {
- debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
- abort();
- }
-#endif
-
- p = popen(buf, "r");
+ p = popenv(popen_argv, "r");
if (!p)
{
- debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
+ debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
} else
{
@@ -890,16 +840,8 @@
assassin->expandedrcpt.push_back(p+7);
}
}
- pclose(p); p = NULL;
+ fclose(p); p = NULL;
}
-#if defined(__FreeBSD__)
- rv = pthread_mutex_unlock(&popen_mutex);
- if (rv)
- {
- debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
- abort();
- }
-#endif
} else
{
assassin->expandedrcpt.push_back(envrcpt[0]);
@@ -2157,5 +2099,71 @@
warnedmacro = true;
}
+/*
+ untrusted-argument-safe popen function - only supports "r" and "w" modes
+ for simplicity, and always reads stdout and stderr in "r" mode. Call
+ fclose to close the FILE.
+*/
+FILE *popenv(char *const argv[], const char *type)
+{
+ FILE *iop;
+ int pdes[2];
+ int save_errno;
+ if ((*type != 'r' && *type != 'w') || type[1])
+ {
+ errno = EINVAL;
+ return (NULL);
+ }
+ if (pipe(pdes) < 0)
+ return (NULL);
+ switch (fork()) {
+
+ case -1: /* Error. */
+ save_errno = errno;
+ (void)close(pdes[0]);
+ (void)close(pdes[1]);
+ errno = save_errno;
+ return (NULL);
+ /* NOTREACHED */
+ case 0: /* Child. */
+ if (*type == 'r') {
+ /*
+ * The dup2() to STDIN_FILENO is repeated to avoid
+ * writing to pdes[1], which might corrupt the
+ * parent's copy. This isn't good enough in
+ * general, since the exit() is no return, so
+ * the compiler is free to corrupt all the local
+ * variables.
+ */
+ (void)close(pdes[0]);
+ (void)dup2(pdes[1], STDOUT_FILENO);
+ (void)dup2(pdes[1], STDERR_FILENO);
+ if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) {
+ (void)close(pdes[1]);
+ }
+ } else {
+ if (pdes[0] != STDIN_FILENO) {
+ (void)dup2(pdes[0], STDIN_FILENO);
+ (void)close(pdes[0]);
+ }
+ (void)close(pdes[1]);
+ }
+ execv(argv[0], argv);
+ exit(127);
+ /* NOTREACHED */
+ }
+
+ /* Parent; assume fdopen can't fail. */
+ if (*type == 'r') {
+ iop = fdopen(pdes[0], type);
+ (void)close(pdes[1]);
+ } else {
+ iop = fdopen(pdes[1], type);
+ (void)close(pdes[0]);
+ }
+
+ return (iop);
+}
+
// }}}
// vim6:ai:noexpandtab
Index: spamass-milter.h
===================================================================
RCS file: /cvsroot/spamass-milt/spamass-milt/spamass-milter.h,v
retrieving revision 1.23
diff -u -r1.23 spamass-milter.h
--- spamass-milter.h 7 Apr 2005 02:04:24 -0000 1.23
+++ spamass-milter.h 10 Mar 2010 18:52:22 -0000
@@ -186,5 +186,6 @@
void parse_debuglevel(char* string);
char *strlwr(char *str);
void warnmacro(char *macro, char *scope);
+FILE *popenv(char *const argv[], const char *type);
#endif
spamass-milter-0.3.1-prototype.patch:
spamass-milter.cpp | 2 ++
1 file changed, 2 insertions(+)
--- NEW FILE spamass-milter-0.3.1-prototype.patch ---
Tentative upstream patch (spamass-milter-0.3.1-popen.patch)
for #572119 is missing a function prototype for the new
popenv() function.
--- spamass-milter-0.3.1/spamass-milter.cpp 2010-03-18 15:41:48.289366915 +0000
+++ spamass-milter-0.3.1/spamass-milter.cpp 2010-03-18 15:45:26.753239751 +0000
@@ -127,6 +127,8 @@
#define INADDR_LOOPBACK 0x7F000001
#endif
+FILE *popenv(char *const argv[], const char *type);
+
// }}}
static const char Id[] = "$Id: spamass-milter.cpp,v 1.90 2006/03/23 21:41:36 dnelson Exp $";
spamass-milter-0.3.1-rcvd.patch:
spamass-milter.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE spamass-milter-0.3.1-rcvd.patch ---
--- spamass-milter-0.3.1/spamass-milter.cpp.ori 2006-03-23 15:41:36.000000000 -0600
+++ spamass-milter-0.3.1/spamass-milter.cpp 2009-04-20 20:03:31.000000000 -0500
@@ -1002,9 +1002,9 @@
assassin->output((string)
"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
macro_b+"\r\n\t"+
- "(envelope-from "+assassin->from()+"\r\n");
+ "(envelope-from "+assassin->from()+")\r\n");
} else
assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
--- NEW FILE spamass-milter.README.Postfix ---
Installing the spamass-milter-postfix package changes the default behaviour
of the spamass-milter initscript to be more Postfix-friendly, i.e.:
The Unix-domain socket used for MTA communication is changed to
%{_localstatedir}/run/spamass-milter/postfix/sock, and that socket is
writable by the postfix group.
To configure Postfix to use the milter, add to /etc/postfix/main.cf:
smtpd_milters = unix:%{_localstatedir}/run/spamass-milter/postfix/sock
For further information, see:
http://www.postfix.org/MILTER_README.html
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/EL-5/.cvsignore,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- .cvsignore 6 Apr 2006 13:10:15 -0000 1.3
+++ .cvsignore 22 Mar 2010 16:14:46 -0000 1.4
@@ -1 +1 @@
-spamass-milter-0.3.1.tar.gz
+spamass-milter-0.3.1.tar.bz2
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/EL-5/sources,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- sources 6 Apr 2006 13:10:15 -0000 1.3
+++ sources 22 Mar 2010 16:14:47 -0000 1.4
@@ -1 +1 @@
-ca6bf6a9c88db74a6bfea41f499c0ba6 spamass-milter-0.3.1.tar.gz
+5f3a441de032c7c044cbb7b922311f1b spamass-milter-0.3.1.tar.bz2
Index: spamass-milter.spec
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/EL-5/spamass-milter.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -p -r1.11 -r1.12
--- spamass-milter.spec 12 Oct 2007 12:22:04 -0000 1.11
+++ spamass-milter.spec 22 Mar 2010 16:14:48 -0000 1.12
@@ -1,40 +1,84 @@
-Summary: Sendmail milter for spamassassin
+Summary: Milter (mail filter) for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 5%{?dist}
+Release: 17%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://savannah.nongnu.org/projects/spamass-milt/
-Source0: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.gz
+Source0: http://savannah.nongnu.org/download/spamass-milt/spamass-milter-%{version}.tar.bz2
Source1: spamass-milter-wrapper
Source2: spamass-milter.sysv
Source3: spamass-milter.sysconfig
+Source4: spamass-milter.README.Postfix
Patch0: spamass-milter-0.3.1-pathnames.patch
+Patch2: spamass-milter-0.3.1-group.patch
+Patch3: spamass-milter-0.3.1-rcvd.patch
+Patch4: spamass-milter-0.3.1-bits.patch
+Patch5: spamass-milter-0.3.1-popen.patch
+Patch6: spamass-milter-0.3.1-prototype.patch
+Patch7: spamass-milter-0.3.1-authuser.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: spamassassin, sendmail-devel
-Requires: spamassassin, sendmail
+Requires: spamassassin, /usr/sbin/sendmail
-Requires(pre): shadow-utils
+Requires(pre): /usr/bin/getent, /usr/sbin/groupadd, /usr/sbin/useradd, /usr/sbin/usermod
Requires(post): /sbin/chkconfig
-Requires(post): /sbin/service
-Requires(preun): /sbin/chkconfig
-Requires(preun): /sbin/service
-Requires(postun): /sbin/service
+Requires(preun): /sbin/chkconfig, initscripts
+Requires(postun): initscripts
%description
-A Sendmail milter (Mail Filter) application that pipes incoming mail
-(including things received by rmail/UUCP) through SpamAssassin, a highly
-customizable spam filter.
+A milter (Mail Filter) application that pipes incoming mail (including things
+received by rmail/UUCP) through SpamAssassin, a highly customizable spam
+filter. A milter-compatible MTA such as Sendmail or Postfix is required.
+
+%package postfix
+Summary: Postfix support for spamass-milter
+Group: System Environment/Daemons
+Requires: %{name} = %{version}-%{release}
+Requires(pre): postfix
+Requires(post): shadow-utils, %{name} = %{version}-%{release}
+%if 0%{?fedora} > 9
+BuildArch: noarch
+%endif
+
+%description postfix
+This package adds support for running spamass-milter using a Unix-domain
+socket to communicate with the Postfix MTA.
%prep
%setup -q
+
+# Local patch for initscript and socket paths
%patch0 -p1 -b .pathnames
-%{__cp} -p %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+
+# Add -g option for group-writable socket for Postfix support (#452248)
+%patch2 -p1 -b .group
+
+# Fix Received-header generation (#496763)
+%patch3 -p1 -b .rcvd
+
+# Add authentication info to dummy Received-header (#496769)
+%patch4 -p1 -b .bits
+
+# Preliminary upstream patch for input validation bug letting
+# remote users execute arbitrary code (#572117, #572119)
+# https://savannah.nongnu.org/bugs/?29136
+%patch5 -p0 -b .popen
+
+# Add function prototype missing from patch5
+%patch6 -p1 -b .proto
+
+# Add -I option to ignore (don't check) mail from authenticated users
+# (#437506, #496767) https://savannah.nongnu.org/bugs/?21046
+%patch7 -p1 -b .authuser
+
+%{__cp} -p %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} .
%{__sed} -i -e 's|%%{_localstatedir}|%{_localstatedir}|g;
s|%%{_initrddir}|%{_initrddir}|g;
s|%%{_sysconfdir}|%{_sysconfdir}|g;
s|%%{_sbindir}|%{_sbindir}|g;' \
- spamass-milter.{sysv,sysconfig} README
+ spamass-milter.{README.Postfix,sysv,sysconfig} README
+%{__mv} spamass-milter.README.Postfix README.Postfix
%build
export SENDMAIL=/usr/sbin/sendmail
@@ -47,14 +91,18 @@ export SENDMAIL=/usr/sbin/sendmail
%{__install} -m 755 -D spamass-milter.sysv %{buildroot}%{_initrddir}/spamass-milter
%{__install} -m 644 -D spamass-milter.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/spamass-milter
-%{__install} -m 700 -d %{buildroot}%{_localstatedir}/run/spamass-milter
+%{__install} -m 755 -d %{buildroot}%{_localstatedir}/lib/spamass-milter
+%{__install} -m 711 -d %{buildroot}%{_localstatedir}/run/spamass-milter
+%{__install} -m 750 -d %{buildroot}%{_localstatedir}/run/spamass-milter/postfix
%{__install} -m 755 spamass-milter-wrapper %{buildroot}%{_sbindir}/spamass-milter-wrapper
%pre
/usr/bin/getent group sa-milt >/dev/null || /usr/sbin/groupadd -r sa-milt
/usr/bin/getent passwd sa-milt >/dev/null || \
- /usr/sbin/useradd -r -g sa-milt -d %{_localstatedir}/run/spamass-milter \
+ /usr/sbin/useradd -r -g sa-milt -d %{_localstatedir}/lib/spamass-milter \
-s /sbin/nologin -c "SpamAssassin Milter" sa-milt
+# Fix homedir for upgrades
+/usr/sbin/usermod --home %{_localstatedir}/lib/spamass-milter sa-milt &>/dev/null
exit 0
%post
@@ -62,12 +110,18 @@ exit 0
%preun
if [ $1 -eq 0 ]; then
- /sbin/service spamass-milter stop &>/dev/null || :
+ %{_initrddir}/spamass-milter stop &>/dev/null || :
/sbin/chkconfig --del spamass-milter || :
fi
%postun
-/sbin/service spamass-milter condrestart &>/dev/null || :
+%{_initrddir}/spamass-milter condrestart &>/dev/null || :
+
+%post postfix
+# This is needed because the milter needs to "give away" the MTA communication
+# socket to the postfix group, and it needs to be a member of the group to do
+# that.
+/usr/sbin/usermod -a -G postfix sa-milt || :
%clean
%{__rm} -rf %{buildroot}
@@ -80,9 +134,78 @@ fi
%{_initrddir}/spamass-milter
%{_sbindir}/spamass-milter
%{_sbindir}/spamass-milter-wrapper
+%dir %attr(-,sa-milt,sa-milt) %{_localstatedir}/lib/spamass-milter/
%dir %attr(-,sa-milt,sa-milt) %{_localstatedir}/run/spamass-milter/
+%files postfix
+%defattr(-,root,root,-)
+%doc README.Postfix
+%dir %attr(-,sa-milt,postfix) %{_localstatedir}/run/spamass-milter/postfix/
+
%changelog
+* Fri Mar 12 2010 Paul Howarth <paul at city-fan.org> 0.3.1-17
+- Update initscript to support running the milter as root, which is needed
+ for the -x (expand aliases) option; note that the milter does not run as
+ root by default
+- Add patch for popen unsanitized input vulnerability
+ (#572117, #572119, https://savannah.nongnu.org/bugs/?29136)
+- Rebase authuser patch
+- Update patch adding auth info to dummy Received-header so that it doesn't
+ generate spurious warnings about missing macros (#532266), and update and
+ merge the macro documentation patch into this patch
+- Document patch usage in spec file
+
+* Tue Aug 11 2009 Paul Howarth <paul at city-fan.org> 0.3.1-16
+- Switch to bzipped source tarball
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> 0.3.1-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Fri Apr 24 2009 Paul Howarth <paul at city-fan.org> 0.3.1-14
+- Fix Received-header generation (#496763)
+- Add authentication info to dummy Received-header (#496769)
+- Add option to skip checks for authenticated senders (#437506, #496767)
+ (thanks to Habeeb J. Dihu for the reports and patches)
+
+* Wed Mar 18 2009 Paul Howarth <paul at city-fan.org> 0.3.1-13
+- Call initscripts directly instead of via /sbin/service and fine-tune scriptlet
+ dependencies
+- Change sa-milt user's home directory from
+ %%{_localstatedir}/run/spamass-milter to %%{_localstatedir}/lib/spamass-milter
+ so as to retain directory contents across a reboot (#489995), and fix the home
+ directory of any existing sa-milt account on upgrades
+
+* Fri Feb 27 2009 Paul Howarth <paul at city-fan.org> 0.3.1-12
+- Subpackage for postfix is now noarch for Fedora 10 onwards
+- Fix scriptlet deps to ensure that sa-milt user exists before we attempt to
+ add it to the postfix group
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> 0.3.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Feb 13 2009 Paul Howarth <paul at city-fan.org> 0.3.1-10
+- Rebuild for shared libmilter in Fedora 11 development
+
+* Thu Jul 3 2008 Paul Howarth <paul at city-fan.org> 0.3.1-9
+- Require /usr/sbin/sendmail (for -b/-B/-x options) rather than sendmail pkg
+- Make summary and description less Sendmail-specific
+- Add patch to support group-writable socket for MTA communication, needed
+ to be able to use a Unix-domain socket with Postfix (#452248)
+- Add subpackage with group-writable directory for Postfix support
+- Tweak initscript to change default options when Postfix socket directory is
+ present
+- Document additional ENVRCPT macros to provide
+
+* Tue May 20 2008 Paul Howarth <paul at city-fan.org> 0.3.1-8
+- Fix initscript failure to start with SELinux in enforcing mode (#447247)
+ (needs selinux-policy >= 3.3.1-55 on F9)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org> 0.3.1-7
+- Autorebuild for GCC 4.3
+
+* Mon Feb 18 2008 Paul Howarth <paul at city-fan.org> 0.3.1-6
+- Rebuild with gcc 4.3.0 for Fedora 9
+
* Fri Oct 12 2007 Paul Howarth <paul at city-fan.org> 0.3.1-5
- Split initscript and config out from being here documents in the spec and
have them as separate source files instead
Index: spamass-milter.sysconfig
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/EL-5/spamass-milter.sysconfig,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- spamass-milter.sysconfig 12 Oct 2007 12:22:04 -0000 1.1
+++ spamass-milter.sysconfig 22 Mar 2010 16:14:48 -0000 1.2
@@ -1,6 +1,13 @@
### Override for your different local config
#SOCKET=%{_localstatedir}/run/spamass-milter/spamass-milter.sock
+### For security reasons it is best to run the milter as a non-root user
+###
+### However, if you need to use the -x option to expand aliases to get
+### the username(s) to pass to spamc, the milter needs to run as root
+### since "sendmail -bv <rcpt_address>" only works as root
+#RUN_AS_USER=sa-milt
+
### Standard parameters for spamass-milter are:
### -P %{_localstatedir}/run/spamass-milter.pid (PID file)
###
Index: spamass-milter.sysv
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/EL-5/spamass-milter.sysv,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- spamass-milter.sysv 12 Oct 2007 12:22:04 -0000 1.1
+++ spamass-milter.sysv 22 Mar 2010 16:14:48 -0000 1.2
@@ -24,14 +24,24 @@
# Default variables
PATH=/sbin:/bin:/usr/sbin:/usr/bin
+RUN_AS_USER=sa-milt
SOCKET="%{_localstatedir}/run/spamass-milter/spamass-milter.sock"
+SOCKET_OPTIONS=""
EXTRA_FLAGS=""
SYSCONFIG="%{_sysconfdir}/sysconfig/spamass-milter"
+# If Postfix support package is installed, use a postfix-group-writable
+# socket for communication with the MTA
+if [ -d %{_localstatedir}/run/spamass-milter/postfix ]; then
+ SOCKET="%{_localstatedir}/run/spamass-milter/postfix/sock"
+ SOCKET_OPTIONS="-g postfix"
+fi
+
# Read configuration
source %{_initrddir}/functions
-source %{_sysconfdir}/sysconfig/network
-[ -r "${SYSCONFIG}" ] && source "${SYSCONFIG}"
+for configfile in %{_sysconfdir}/sysconfig/network "${SYSCONFIG}"; do
+ [ -r "${configfile}" ] && source "${configfile}"
+done
[ -x %{_sbindir}/spamass-milter ] || exit 5
@@ -40,11 +50,15 @@ prog="spamass-milter"
desc="SpamAssassin milter"
pidfile=%{_localstatedir}/run/spamass-milter.pid
+# Fix ownership of socket directory if necessary
+chown ${RUN_AS_USER} %{_localstatedir}/run/spamass-milter
+
start() {
echo -n $"Starting ${desc} (${prog}): "
touch ${pidfile}
- chown sa-milt:sa-milt ${pidfile}
- daemon --user sa-milt %{_sbindir}/${prog}-wrapper -p ${SOCKET} -P ${pidfile} ${EXTRA_FLAGS}
+ chown ${RUN_AS_USER} ${pidfile}
+ [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile}
+ daemon --user ${RUN_AS_USER} %{_sbindir}/${prog}-wrapper ${SOCKET_OPTIONS} -p ${SOCKET} -P ${pidfile} ${EXTRA_FLAGS}
RETVAL=$?
echo
if [ ${RETVAL} -eq 0 ]; then
- Previous message: rpms/spamass-milter/EL-4 spamass-milter-0.3.1-group.patch, NONE, 1.1 spamass-milter-0.3.1-popen.patch, NONE, 1.1 spamass-milter-0.3.1-prototype.patch, NONE, 1.1 spamass-milter-0.3.1-rcvd.patch, NONE, 1.1 spamass-milter.README.Postfix, NONE, 1.1 .cvsignore, 1.3, 1.4 sources, 1.3, 1.4 spamass-milter.spec, 1.9, 1.10 spamass-milter.sysconfig, 1.1, 1.2 spamass-milter.sysv, 1.1, 1.2
- Next message: rpms/spamass-milter/F-11 spamass-milter-0.3.1-popen.patch, NONE, 1.1 spamass-milter-0.3.1-prototype.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 sources, 1.3, 1.4 spamass-milter-0.3.1-authuser.patch, 1.1, 1.2 spamass-milter-0.3.1-bits.patch, 1.1, 1.2 spamass-milter.spec, 1.20, 1.21 spamass-milter.sysconfig, 1.1, 1.2 spamass-milter.sysv, 1.4, 1.5 spamass-milter-0.3.1-macros.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list