[ITP] postfix 2.11.3
Corinna Vinschen
corinna-cygwin@cygwin.com
Mon Nov 17 13:52:00 GMT 2014
On Nov 17 14:00, Christian Franke wrote:
> Hi Corinna,
>
> Corinna Vinschen wrote:
> > Hi Christian,
> >
> > On Nov 13 23:48, Christian Franke wrote:
> >> I would like to contribute the Postfix Mail Transfer Agent.
> >>
> >> http://www.postfix.org/
> >>
> >> Download:
> >> wget -e robots=off -np -nH --cut-dirs=1 -R'index.html*' -r \
> >> http://chrfranke.no-ip.org/cygwin/x86/release/postfix \
> >> http://chrfranke.no-ip.org/cygwin/x86_64/release/postfix
> >>
> >> Important: It requires cygwin 1.7.33-1 (or a recent 1.7.33-0.X test
> >> release). It does not work with 1.7.32-1.
> >>
> >> For a first test try 'postfix-config --dryrun'. See the /etc/postfix/main.cf
> >> sample for some more info.
> > Packaging looks basically ok, but I see a few problems in
> > postfix-config:
> >
> > - The script uses passwd -R without asking the admin. I'm not so sure
> > that's feasible. The admin should have a say in the matter.
>
> I agree and will add a csih_request there.
>
>
> > Also, is
> > passwd -R really required? This is typically no necessary, unless you
> > potentially have to do stuff with native Windows tools (cron, sshd
> > session). Postfix doesn't seem to be a candidate for that.
>
> For example the postsuper admin tool always drops root permissions by
> setuid/gid() to $mail_owner ('postfix') before doing anything interesting.
> (postfix never uses chown(), BTW).
>
> Could this really be done without passwd -R or cyglsa ?
Usually, yes. As a Cygwin tool without accessing native Windows
functionality, it should not have a problem using
https://cygwin.com/preliminary-ug/ntsec.html#ntsec-nopasswd1, unless
it has to access network drives.
> > - The script still accesses /etc/group and /etc/passwd, but it should
> > not. For reading there's getent available for quite some time now.
> > Creating accounts in /etc/passwd and /etc/group should depend on the
> > Cygwin version.
>
> /etc/passwd is not accessed.
Sorry, I misread /usr/bin/passwd as /etc/passwd :}
> Yes, the first group 0 check should be replaced by getent, yes.
Oh, hey, group 0 won't exist in a db-only scenario. When testing for
the admins group, check for gid 544, or SID S-1-5-32-544 using getent.
> The other /etc/group modifications were only added because csih lacks a
> csih_create_local_group function.
Well, ok, but it shouldn't add to /etc/group invariably.
> > I prepared a matching function for testing this in
> > csih, which looks like this:
> >
> > # Routine: csih_use_file_etc passwd|group
> > # Check if /etc/passwd or /etc/group file is in use.
> > # On Cygwin versions < 1.7.33, files are always used.
> > # On Cygwin versions >= 1.7.33 it depends on /etc/nsswitch.conf.
> > ...
> > csih_use_file_etc()
> > {
> > ...
> > } # === End of csih_use_file_etc() === #
> > readonly -f csih_use_file_etc
> >
> > Maybe you could just copy the method for now until I get my lazy
> > back to finish the work on csih?
>
> OK.
>
> If csih_use_file_etc returns false, all the script could do for now is
> to refuse the creation of local users or groups.
No. If `csih_use_file_etc group' fails, don't write the newly created
group to /etc/group. Otherwise do.
> The (files-only|non-domain|domain) complexity should be handled in csih,
> IMO:
Uhm... AFAICS it is. After checking or creating a user, the new incarnation
of csih will have set three variables, either
csih_PRIVILEGED_USERNAME
csih_PRIVILEGED_USERWINNAME
csih_PRIVILEGED_USERDOMAIN
or
csih_UNPRIVILEGED_USERNAME
csih_UNPRIVILEGED_USERWINNAME
csih_UNPRIVILEGED_USERDOMAIN
so the calling script can just use the new name in whatever variation
required.
> > - I don't understand this one in create_postfix_accounts:
> >
> > if /usr/bin/find / -maxdepth 0 -group "$setgid_group" >/dev/null 2>&1; then
> > [...]
> >
> > What are you looking for in /?
>
> Nothing :-) This fairly portable trick to check for group existence was
> inherited from an older script. Should be replaced by getent, of course.
Oh, ok. Yes, there's no guarantee that / is grp-owned by setgid_group.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20141117/88337e01/attachment.sig>
More information about the Cygwin-apps
mailing list