Re: [gentoo-dev] Abuse by gentoo developer

["Robin H. Johnson" <robbat2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2505 bytes --]

I'm not going to address Jory's behaviour here, but I would like to
look at the actual development stuff, namely the SUID status of vchkpw,
as I took care of vpopmail before Jory came on board.

On Wed, Jul 20, 2005 at 01:32:30AM +0000, Casey Allen Shobe wrote:
> > I would strongly recommend doing chmod +s /var/vpopmail/bin/vchkpw 
> > in the ebuild, and then if the end user doesn't want it SUID, then 
> > that's what FEATURES=suidctl is for.
> 
> Umm, no it's not, and it's not useless info.  I reported the bug to 
> the gentoo-dev list some months ago, but should have probably used 
> bugs.gentoo.org instead.  In any case, it's certainly not installed 
> setuid by default:
> 
> # emerge -va vpopmail && ls -l /var/vpopmail/bin/vchkpw
> 
> These are the packages that I would merge, in order:
> 
> Calculating dependencies ...done!
> [ebuild   R   ] net-mail/vpopmail-5.4.6-r1  +clearpasswd -ipalias 
> -mysql -postgres 0 kB [1]
> [...]
> >>> net-mail/vpopmail-5.4.6-r1 merged.
> [...]
> -rwx--x--x  1 root root 85036 Jul 19 23:53 /var/vpopmail/bin/vchkpw*
> 
> So stop telling me my info is useless, when it's obviously not.
> > This is not how we can handle this the user should have already
> > read up on how to setup vpopmail before ever installing it, which
> > means they would already know that SUID is required.
> As SUID is required for qmail-smtpd, vchkpw should indeed be 
> installed SUID by default unless overridden by using suidctl.  This 
> is NOT the case now.

This problem IS fixed in ~arch:

line 190 of both vpopmail-5.4.10.ebuild and vpopmail-5.4.9-r2.ebuild:
	chmod 4711 ${D}${VPOP_HOME}/bin/vchkpw

So if this is still a problem in arch, but works in ~arch, you SHOULD
file a bug report.

However the original reasoning for vchkpw NOT being setuid was that
setuid is NOT always needed depending on which backend you are using.

And as I've mentioned before I'd like MORE reports of packages working
well before they are moved to stable arch. Without those stable working
reports I don't have any means to judge just how much testing has been
done on a package, other than my own use of a package (and as such I do
leave things longer than the 30 days, because I don't entirely trust
them).

-- 
Robin Hugh Johnson
E-Mail     : robbat2@orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 241 bytes --]