From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2E6211396D9 for ; Wed, 1 Nov 2017 18:55:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 77F252BC13F; Wed, 1 Nov 2017 18:55:58 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4A8F42BC13F for ; Wed, 1 Nov 2017 18:55:58 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 43A8E34178E for ; Wed, 1 Nov 2017 18:55:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7C2E49175 for ; Wed, 1 Nov 2017 18:55:54 +0000 (UTC) From: "Michael Orlitzky" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michael Orlitzky" Message-ID: <1509562496.2d55bc8f1afb8dc8f712ba139a860c828f52eb17.mjo@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: mail-filter/spamassassin/, mail-filter/spamassassin/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: mail-filter/spamassassin/files/3.4.1-spamd.conf-r1 mail-filter/spamassassin/files/3.4.1-spamd.init-r2 mail-filter/spamassassin/spamassassin-3.4.1-r17.ebuild mail-filter/spamassassin/spamassassin-3.4.1-r18.ebuild X-VCS-Directories: mail-filter/spamassassin/files/ mail-filter/spamassassin/ X-VCS-Committer: mjo X-VCS-Committer-Name: Michael Orlitzky X-VCS-Revision: 2d55bc8f1afb8dc8f712ba139a860c828f52eb17 X-VCS-Branch: master Date: Wed, 1 Nov 2017 18:55:54 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f282bbe4-8c23-47b9-8a7f-a7c2697f5da4 X-Archives-Hash: ee43aa7b54658b842230551d15f05b7d commit: 2d55bc8f1afb8dc8f712ba139a860c828f52eb17 Author: Michael Orlitzky gentoo org> AuthorDate: Wed Nov 1 03:05:53 2017 +0000 Commit: Michael Orlitzky gentoo org> CommitDate: Wed Nov 1 18:54:56 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d55bc8f mail-filter/spamassassin: new revision that lets spamd run as root (openrc). The r13 revision of spamassassin came with a new init script (and systemd service file) that runs spamd as the "spamd" user by default, and that choice is not configurable. There is however a legitimate use case for running spamd as root; namely, when local users have their configurations or bayes databases stored in their home directories on the local filesystem. This new revision adds back the ability to run spamd as root, through the SPAMD_RUN_AS_ROOT variable in the OpenRC service configuration file. This should suffice for the users who have reported problems so far, and a similar fix for the systemd service is on its way. The pkg_postinst phase of the ebuild alerts users to the new configuration variable. Bug: https://bugs.gentoo.org/635790 Package-Manager: Portage-2.3.8, Repoman-2.3.3 mail-filter/spamassassin/files/3.4.1-spamd.conf-r1 | 30 +++++++++++++++++ mail-filter/spamassassin/files/3.4.1-spamd.init-r2 | 38 ++++++++++++++++++++++ ....1-r17.ebuild => spamassassin-3.4.1-r18.ebuild} | 9 +++-- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/mail-filter/spamassassin/files/3.4.1-spamd.conf-r1 b/mail-filter/spamassassin/files/3.4.1-spamd.conf-r1 new file mode 100644 index 00000000000..b7b46f3226a --- /dev/null +++ b/mail-filter/spamassassin/files/3.4.1-spamd.conf-r1 @@ -0,0 +1,30 @@ +# ***WARNING*** +# +# The spamd daemon must not run on an untrusted network. +# +# ***WARNING*** + +# Additional options to pass to the spamd daemon. The spamd(1) man +# page explains the available options. If you choose to listen on a +# non-default interface, you will need to use OpenRC's "rc_need" +# mechanism to ensure that your interface comes up before spamd +# starts. The openrc-run(8) man page describes rc_need. +SPAMD_OPTS="--max-children=5 --create-prefs --helper-home-dir" + +# Sets the 'nice' level of the spamd process. +SPAMD_NICELEVEL=0 + +# How long (in seconds) should we wait for spamd to stop after we've +# asked it to? After this amount of time, if spamd is still running, +# we will assume that it has failed to stop. +SPAMD_TIMEOUT=15 + +# Do you want to run spamd as root? If you have local users storing their +# personal configurations (or bayes databases) in ~/.spamassassin, then you +# may want to run spamd as root so that it can setuid to each user while +# processing his spam. (That way, you don't have to grant the "spamd" user +# individual permissions to everyone's ~/.spamassassin directory.) +# +# On the other hand, if you don't store any per-user configuration on +# the filesystem, then you should leave this alone. +SPAMD_RUN_AS_ROOT=false diff --git a/mail-filter/spamassassin/files/3.4.1-spamd.init-r2 b/mail-filter/spamassassin/files/3.4.1-spamd.init-r2 new file mode 100644 index 00000000000..c704782f3a4 --- /dev/null +++ b/mail-filter/spamassassin/files/3.4.1-spamd.init-r2 @@ -0,0 +1,38 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +command="/usr/sbin/spamd" +pidfile="/run/spamd.pid" +command_args="--pidfile=${pidfile} ${SPAMD_OPTS}" +command_args_background="--daemonize" + +if ! [ "${SPAMD_RUN_AS_ROOT}" = "true" ]; then + # Passing --username=root to spamd kills it, so if SPAMD_RUN_AS_ROOT + # is true, then we want to pass no user/group command args at all. + # Any value other than "true" gets the default user/group of "spamd". + command_args="${command_args} --username=spamd --groupname=spamd" +fi + +: ${SPAMD_NICELEVEL:=0} +start_stop_daemon_args="--nicelevel ${SPAMD_NICELEVEL}" + +# Retry after SPAMD_TIMEOUT seconds because spamd can take a +# while to kill off all of its children. This was bug 322025. +: ${SPAMD_TIMEOUT:=15} +retry="${SPAMD_TIMEOUT}" + +extra_started_commands="reload" + +depend() { + before mta + use logger mysql postgres +} + +reload() { + ebegin "Reloading configuration" + # Warning: reload causes the PID of the spamd process to + # change, but spamd does update its PID file afterwards. + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/mail-filter/spamassassin/spamassassin-3.4.1-r17.ebuild b/mail-filter/spamassassin/spamassassin-3.4.1-r18.ebuild similarity index 95% rename from mail-filter/spamassassin/spamassassin-3.4.1-r17.ebuild rename to mail-filter/spamassassin/spamassassin-3.4.1-r18.ebuild index ba402950811..49b14da5015 100644 --- a/mail-filter/spamassassin/spamassassin-3.4.1-r17.ebuild +++ b/mail-filter/spamassassin/spamassassin-3.4.1-r18.ebuild @@ -156,8 +156,8 @@ src_install () { || die "failed to disable plugins by default" # Add the init and config scripts. - newinitd "${FILESDIR}/3.4.1-spamd.init-r1" spamd - newconfd "${FILESDIR}/3.4.1-spamd.conf" spamd + newinitd "${FILESDIR}/3.4.1-spamd.init-r2" spamd + newconfd "${FILESDIR}/3.4.1-spamd.conf-r1" spamd systemd_newunit "${FILESDIR}/${PN}.service-r3" "${PN}.service" systemd_install_serviced "${FILESDIR}/${PN}.service.conf-r1" \ @@ -241,4 +241,9 @@ pkg_postinst() { elog elog ' https://wiki.gentoo.org/wiki/SpamAssassin' elog + + ewarn 'If this version of SpamAssassin causes permissions issues' + ewarn 'with your user configurations or bayes databases, you may' + ewarn 'need to set SPAMD_RUN_AS_ROOT=true in your OpenRC service' + ewarn 'configuration file.' }