Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-13 23:57 UTC

Thread

RH initscript issues

RH initscript issues

2005-02-03 by Enrico Scholz

Hello,

I have attached two patches against 1.6 fixing the following issues:

* rc-redhat.sh.in: fix startup position; '50' was too early
because important services like 'named' will be started later
(55). '79' seems to be a good value as sendmail is started at
'80'

* rc-redhat.sh.in: drop the uid/gid manually. The daemon
itself does not change the gid/supplementary groups and
would run with too much privilegies therefore.



Enrico

Re: [milter-greylist] RH initscript issues

2005-02-03 by Enrico Scholz

greylist-milter@... (Enrico Scholz) writes:
Show quoted textHide quoted text
> * rc-redhat.sh.in: drop the uid/gid manually. The daemon
> itself does not change the gid/supplementary groups and
> would run with too much privilegies therefore.

dropping gid/groups in the daemon would be better, but afair this method
is disliked as it is not very portable. Nevertheless, the attached patch
makes exactly this...



Enrico

Re: [milter-greylist] RH initscript issues

2005-02-03 by Brent J. Nordquist

On Thu, Feb 03, 2005 at 10:17:45AM +0100, Enrico Scholz wrote:
> I have attached two patches against 1.6 fixing the following issues:

Interesting! These are just what the SPEC I use does also. I'm in favor
of this being applied.

-- 
Brent J. Nordquist <b-nordquist@...> N0BJN
Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html

Re: [milter-greylist] RH initscript issues

2005-02-03 by manu@netbsd.org

Enrico Scholz <greylist-milter@...> wrote:

> +             if (initgroups(conf.c_user, pw->pw_gid) != 0) {
> +                     syslog(LOG_ERR, "%s: can not change supplementary groups: %s\n",
> +                            argv[0], strerror(errno));
> +                     exit(EX_OSERR);
> +             }
> +
> +             if (setgid(pw->pw_gid) != 0 ||
> +                 setegid(pw->pw_gid) != 0) {
> +                     syslog(LOG_ERR, "%s: cannot change GID: %s\n",
> +                         argv[0], strerror(errno));
> +                     exit(EX_OSERR);
> +             }
> +

I'm ready to commit that, but I'm concerned about initgroups() not being
portable. Any input on that? How should it work on systems without
initgroups? 

-- 
Emmanuel Dreyfus
Un bouquin en français sur BSD:
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@netbsd.org

Re: [milter-greylist] RH initscript issues

2005-02-03 by Eugene Crosser

--- manu@... wrote:

> Enrico Scholz <greylist-milter@...> wrote:
> 
> > +             if (initgroups(conf.c_user,
> pw->pw_gid) != 0) {
> > +                     syslog(LOG_ERR, "%s: can not
> change supplementary groups: %s\n",
> > +                            argv[0],
> strerror(errno));
> > +                     exit(EX_OSERR);
> > +             }
> > +
> > +             if (setgid(pw->pw_gid) != 0 ||
> > +                 setegid(pw->pw_gid) != 0) {
> > +                     syslog(LOG_ERR, "%s: cannot
> change GID: %s\n",
> > +                         argv[0],
> strerror(errno));
> > +                     exit(EX_OSERR);
> > +             }
> > +
> 
> I'm ready to commit that, but I'm concerned about
> initgroups() not being
> portable. Any input on that? How should it work on
> systems without
> initgroups? 

Remember my patch for seteuid?  Here again, I think
that setregid is more portable than setegid.  And only
setgid exists on absolutely any system.  I think that
configure check should be added for setregid, setegid
and initgroups existence.

Eugene


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250

Re: [milter-greylist] RH initscript issues

2005-02-03 by manu@netbsd.org

Eugene Crosser <egcrosser@...> wrote:

> Remember my patch for seteuid?  Here again, I think
> that setregid is more portable than setegid.  And only
> setgid exists on absolutely any system.  I think that
> configure check should be added for setregid, setegid
> and initgroups existence.

Sure, but what do we do if it does not exist?

-- 
Emmanuel Dreyfus
Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

Re: [milter-greylist] RH initscript issues

2005-02-03 by Eugene Crosser

--- manu@... wrote:

> Eugene Crosser <egcrosser@...> wrote:
> 
> > Remember my patch for seteuid?  Here again, I
> think
> > that setregid is more portable than setegid.  And
> only
> > setgid exists on absolutely any system.  I think
> that
> > configure check should be added for setregid,
> setegid
> > and initgroups existence.
> 
> Sure, but what do we do if it does not exist?

On systems where neither setregid nor setegid exist,
setgid sets *both* gid and egid.  Hopefully :-)  As
far as I know, anyway.

Even if not, well, then nothing can be done, we just
continue running with elevated priviledges...

Eugene


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

Re: [milter-greylist] RH initscript issues

2005-02-07 by Enrico Scholz

manu@... writes:

>> + if (initgroups(conf.c_user, pw->pw_gid) != 0) {
>> ...
>> + if (setgid(pw->pw_gid) != 0 ||
>> + setegid(pw->pw_gid) != 0) {
> ...
> I'm ready to commit that, but I'm concerned about initgroups() not
> being portable. Any input on that?

Just execute a configure.ac test (e.g.

--------
AC_MSG_CHECKING([whether initgroups() is available])
AC_TRY_LINK([
#define _BSD_SOURCE
#include <grp.h>
#include <sys/types.h>],
[initgroups("foo", 42);],
[grmilt_have_initgroups=yes],
[grmilt_have_initgroups=no])
AC_MSG_RESULT($grmilt_have_initgroups)
if test x"$grmilt_have_initgroups" = xyes; then
AC_DEFINE(GRMILT_HAVE_INITGROUPS, 1, [Define to 1 when initgroups(3) is available])
fi
--------

), put the statement above into an '#ifdef GRMILT_HAVE_INITGROUPS
... #endif' block and issue a big fat warning when initgroups() is not
available.



As Eugen noticed, setregid() shall be used instead of the setgid() +
setegid() sequence. Accordingly SUSv3, 'setregid(2)' was "first released
in Issue 4, Version 2.", but setegid(2) is younger because it was "first
released in Issue 6.".


I see that you applied both my 'daemon --user=...' patch for the
initscripts and the initgroups patch in 2.0beta1. Sorry, that I was
unclear about this, but they will not work together so please revert
the milter-greylist-1.6-user.patch.




Enrico

Re: [milter-greylist] RH initscript issues

2005-02-08 by manu@netbsd.org

Enrico Scholz <greylist-milter@...> wrote:

> I see that you applied both my 'daemon --user=...' patch for the
> initscripts and the initgroups patch in 2.0beta1. Sorry, that I was
> unclear about this, but they will not work together so please revert
> the milter-greylist-1.6-user.patch.

Send me a diff, to avoid another unclear thing :)

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Re: [milter-greylist] RH initscript issues

2005-02-08 by manu@netbsd.org

Enrico Scholz <greylist-milter@...> wrote:

> As Eugen noticed, setregid() shall be used instead of the setgid() +
> setegid() sequence. Accordingly SUSv3, 'setregid(2)' was "first released
> in Issue 4, Version 2.", but setegid(2) is younger because it was "first
> released in Issue 6.".

In setregid(2) on my favourite OS, I have:
HISTORY
     The setregid() function call appeared in 4.2BSD.  An incompatible
     version was implemented in 4.4BSD.  It was reimplemented in NetBSD
     1.2 in a way compatible with 4.3BSD, SunOS and Linux, but should
     not be used in new code.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.