diff options
author | Jason Unovitch <junovitch@FreeBSD.org> | 2016-05-01 01:13:06 +0000 |
---|---|---|
committer | Jason Unovitch <junovitch@FreeBSD.org> | 2016-05-01 01:13:06 +0000 |
commit | 2e4733463a4bc714bc94da00e4e9da9f56fdd703 (patch) | |
tree | 3afde4310eacf906074e9fc3c2684964c5c5aa75 /UPDATING | |
parent | 70d2669ebf2afb8ac59064902e7ea03803733aa5 (diff) | |
download | ports-2e4733463a4bc714bc94da00e4e9da9f56fdd703.tar.gz ports-2e4733463a4bc714bc94da00e4e9da9f56fdd703.zip |
mail/dspam: implement privilege separation (resolves bug running with suexec)
- Runs as dspam:dspam instead of root:mail. The dspam UID/GID were created
in r168311 when the UIDs/GIDs files were added but the port had always
used root:mail. This had prevented running the dspam webUI under Apache
with suexec due to a minimal requirement of UID/GID of 100. The original
unsecure behavior is available with the SETUID option.
- Default run directory is now /var/run/dspam. This follows the default
upstream behavior and removes the patch to dspam.c as a result. Use
RUN_DIR and correct the dspam.conf.sample file accordingly.
- Default daemon/client communication port is now 2424.
- Regen patches while here (portlint)
UPDATING: Document privilege separated dspam
PR: 115957
Reported by: tedm@ipinc.net, support@ipinc.net
Submitted by: Danny Warren <danny@dannywarren.com> (maintainer)
Notes
Notes:
svn path=/head/; revision=414374
Diffstat (limited to 'UPDATING')
-rw-r--r-- | UPDATING | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -5,6 +5,16 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20160501: + AFFECTS: Users of mail/dspam + AUTHOR: junovitch@FreeBSD.org + + dspam has been modified to no longer run as root:mail by default. + Existing configuration must be adjusted to reflect using a non-privileged + port and the /var/run/dspam directory for PID and socket files. If you + need dspam to run as root for your mail setup, you can use the SETUID + config option to enable the old insecure behavior. + 20160424: AFFECTS: Users of net-mgmt/icinga2 AUTHOR: lme@FreeBSD.org |