ports/103417: [maintainer] mail/dkim-milter to run as a non-privileged user

Hirohisa Yamaguchi umq at ueo.co.jp
Wed Sep 20 07:10:24 UTC 2006


>Number:         103417
>Category:       ports
>Synopsis:       [maintainer] mail/dkim-milter to run as a non-privileged user
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 20 07:10:19 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Hirohisa Yamaguchi
>Release:        FreeBSD 7.0-CURRENT amd64
>Organization:
<organization of PR author (multiple lines)>
>Environment:
System: FreeBSD calliope.****.org 7.0-CURRENT FreeBSD 7.0-CURRENT #2: Fri Sep 1 13:15:27 JST 2006 root at calliope.****.org:/usr/obj/usr/src/sys/CALLIOPE64 amd64


>Description:
	for some reasons, milter processes are recommended to run as non-privileged users.
	And mail/dkim-milter does not.

>How-To-Repeat:
	N/A

>Fix:

	The patch follows.

	Changes in this patch:
	+ add new file pkg-install to create a user "dkimfilter"
	+ make a directory under /var/run owned by the user to run
	  and the default file and sock have moved into the directory
	+ fix multiple-instantiation failure in recent OSVERSION

	ports/103404 is also open for now.

diff -Npru ports.orig/mail/dkim-milter/Makefile ports/mail/dkim-milter/Makefile
--- ports.orig/mail/dkim-milter/Makefile	Wed Aug  2 11:47:05 2006
+++ ports/mail/dkim-milter/Makefile	Wed Sep 20 12:35:28 2006
@@ -74,6 +74,7 @@ post-install:
 	${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR}
 .endfor
 .endif
+	@${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
 	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.post.mk>
diff -Npru ports.orig/mail/dkim-milter/files/milter-dkim.sh.in ports/mail/dkim-milter/files/milter-dkim.sh.in
--- ports.orig/mail/dkim-milter/files/milter-dkim.sh.in	Tue May  2 00:05:44 2006
+++ ports/mail/dkim-milter/files/milter-dkim.sh.in	Wed Sep 20 15:35:59 2006
@@ -15,6 +15,7 @@
 #
 # milterdkim_enable (bool):   Set to "NO" by default.
 #                             Set it to "YES" to enable dkim-milter
+# milterdkim_uid (str):       Set username to run milter.
 # milterdkim_profiles (list): Set to "" by default.
 #                             Define your profiles here.
 # milterdkim_socket (str):    Path to the milter socket.
@@ -30,6 +31,7 @@
 # DO NOT CHANGE THESE DEFAULT VALUES HERE
 #
 milterdkim_enable=${milterdkim_enable:-"NO"}
+milterdkim_uid=${milterdkim_uid:-"dkimfilter"}
 milterdkim_profiles=${milterdkim_profiles:-}
 milterdkim_socket=${milterdkim_socket:-"local:/var/run/milterdkim/filter.sock"}
 milterdkim_domain=${milterdkim_domain:-"example.com"}
@@ -45,17 +47,17 @@ name="milterdkim"
 rcvar=`set_rcvar`
 
 start_precmd="dkim_prepcmd"
-stop_postcmd="dkim_prepcmd"
+stop_postcmd="dkim_postcmd"
 command="%%PREFIX%%/libexec/dkim-filter"
-_pidprefix="/var/run/dkim-filter"
-pidfile="${_pidprefix}.pid"
+_piddir="/var/run/milterdkim"
+pidfile="${_piddir}/pid"
 
 load_rc_config $name
 
 if [ -n "$2" ]; then
     profile="$2"
     if [ "x${milterdkim_profiles}" != "x" ]; then
-	pidfile="${_pidprefix}.${profile}.pid"
+	pidfile="${_piddir}/${profile}.pid"
 	eval milterdkim_enable="\${milterdkim_${profile}_enable:-${milterdkim_enable}}"
 	eval milterdkim_socket="\${milterdkim_${profile}_socket:-}"
 	if [ "x${milterdkim_socket}" = "x" ];then
@@ -65,7 +67,7 @@ if [ -n "$2" ]; then
 	eval milterdkim_domain="\${milterdkim_${profile}_domain:-${milterdkim_domain}}"
 	eval milterdkim_key="\${milterdkim_${profile}_key:-${milterdkim_key}}"
 	eval milterdkim_flags="\${milterdkim_${profile}_flags:-${milterdkim_flags}}"
-	command_args="-l -p ${milterdkim_socket} -P ${pidfile}"
+	command_args="-l -p ${milterdkim_socket} -u ${milterdkim_uid} -P ${pidfile}"
     else
 	echo "$0: extra argument ignored"
     fi
@@ -74,7 +76,7 @@ else
 	if [ "x$1" != "xrestart" ]; then
 	    for profile in ${milterdkim_profiles}; do
 		echo "===> milterdkim profile: ${profile}"
-		%%PREFIX%%/etc/rc.d/milter-dkim.sh $1 ${profile}
+		$0 $1 ${profile}
 		retcode="$?"
 		if [ "0${retcode}" -ne 0 ]; then
 		    failed="${profile} (${retcode}) ${failed:-}"
@@ -88,7 +90,7 @@ else
 	fi
     else
 	milterdkim_flags=${milterdkim_flags}
-	command_args="-l -p ${milterdkim_socket} -P ${pidfile}"
+	command_args="-l -p ${milterdkim_socket} -u ${milterdkim_uid} -P ${pidfile}"
     fi
 fi
 
@@ -99,6 +101,24 @@ dkim_prepcmd ()
     elif [ -S ${milterdkim_socket##unix:} ] ; then
         rm -f ${milterdkim_socket##unix:}
     fi
+    if [ -d ${_piddir} ] ; then
+	return;
+    fi
+    mkdir -p ${_piddir}
+    if [ -n "${milterdkim_uid}" ] ; then
+	chown ${milterdkim_uid} ${_piddir}
+    fi
+}
+
+dkim_postcmd()
+{
+    if [ -S ${milterdkim_socket##local:} ] ; then
+        rm -f ${milterdkim_socket##local:}
+    elif [ -S ${milterdkim_socket##unix:} ] ; then
+        rm -f ${milterdkim_socket##unix:}
+    fi
+    # just if the directory is empty
+    rmdir ${_piddir} > /dev/null 2>&1
 }
 
 run_rc_command "$1"
diff -Npru ports.orig/mail/dkim-milter/pkg-install ports/mail/dkim-milter/pkg-install
--- ports.orig/mail/dkim-milter/pkg-install	Thu Jan  1 09:00:00 1970
+++ ports/mail/dkim-milter/pkg-install	Wed Sep 20 11:32:54 2006
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+if [ "$2" != "POST-INSTALL" ]
+then
+	exit 0;
+fi
+
+# check if dkimfilter user exists
+pw user show dkimfilter > /dev/null 2>&1
+
+if [ $? != 0 ]
+then
+	echo "===>  Adding user dkimfilter"
+	pw useradd dkimfilter -c "milter-dkim" -s /sbin/nologin \
+	-d /nonexistent
+else
+	echo "===>  Using existing user dkimfilter" 
+fi
>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list