* [gentoo-dev] RFC: acct-{user,group} for milter (438)
@ 2019-12-13 21:17 Ralph Seichter
2019-12-15 4:36 ` Michael Orlitzky
0 siblings, 1 reply; 8+ messages in thread
From: Ralph Seichter @ 2019-12-13 21:17 UTC (permalink / raw
To: gentoo-dev
The mail-filter/milter-regex ebuild already uses user/group 'milter',
and for the currently open bump to version 2.7 I'd like to claim GID/UID
438.
I have checked the assignment list[1] and used Notmuch for a full text
search of previous mentions of GID/UID 438. From what I can tell, 438
has not been requested before.
-Ralph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-13 21:17 [gentoo-dev] RFC: acct-{user,group} for milter (438) Ralph Seichter
@ 2019-12-15 4:36 ` Michael Orlitzky
2019-12-15 4:53 ` Ralph Seichter
0 siblings, 1 reply; 8+ messages in thread
From: Michael Orlitzky @ 2019-12-15 4:36 UTC (permalink / raw
To: gentoo-dev
On 12/13/19 4:17 PM, Ralph Seichter wrote:
> The mail-filter/milter-regex ebuild already uses user/group 'milter',
> and for the currently open bump to version 2.7 I'd like to claim GID/UID
> 438.
I recently cited the "milter" user on this list as a bad example from
the user.eclass days... it was used by at least three unrelated
packages: milter-regex, opendmarc, and opendkim. I fixed opendkim, of
course, but it looks like opendmarc still uses "milter" as its user, too.
Now would be a good time to switch them to unique accounts, since
neither package should be able to access the other's files. The obvious
choice for opendmarc is "opendmarc", and that's even what upstream
defaults to -- we sed it to "milter" in Gentoo.
I guess we could keep "milter" for only regex-milter, but that has the
disadvantage that it messes with the opendmarc package in the meantime.
Upstream uses "_milter-regex", and according to the PMS that's...
actually... a legal package name? How do people feel about that? It's
insane, for sure; but I'm too tired to tell if it's good insane or bad
insane.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-15 4:36 ` Michael Orlitzky
@ 2019-12-15 4:53 ` Ralph Seichter
2019-12-15 5:20 ` Michael Orlitzky
0 siblings, 1 reply; 8+ messages in thread
From: Ralph Seichter @ 2019-12-15 4:53 UTC (permalink / raw
To: gentoo-dev
* Michael Orlitzky:
> I guess we could keep "milter" for only regex-milter, but that has the
> disadvantage that it messes with the opendmarc package in the meantime.
Of the three packages you mentioned, milter-regex (not regex-milter) is
the only one with a name that actually contains "milter". OpenDMARC
should never have user a user named milter in the first place, and in
the future it should use "opendmarc".
Besides, since nobody has claimed group/user "milter" before me, I think
this falls under first come, first serve.
-Ralph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-15 4:53 ` Ralph Seichter
@ 2019-12-15 5:20 ` Michael Orlitzky
2019-12-15 14:46 ` Ralph Seichter
0 siblings, 1 reply; 8+ messages in thread
From: Michael Orlitzky @ 2019-12-15 5:20 UTC (permalink / raw
To: gentoo-dev
On 12/14/19 11:53 PM, Ralph Seichter wrote:
>
> Of the three packages you mentioned, milter-regex (not regex-milter) is
> the only one with a name that actually contains "milter". OpenDMARC
> should never have user a user named milter in the first place, and in
> the future it should use "opendmarc".
>
> Besides, since nobody has claimed group/user "milter" before me, I think
> this falls under first come, first serve.
I agree that milter-regex has the strongest claim to the username. All
I'm saying is that until opendmarc updates to GLEP81, changes its
username, and all of its old versions have been purged from the tree...
(a) we still have a dumb security vulnerability, in that these daemons
can modify each others' files; and
(b) you have to be careful not to do anything in acct-user/milter that
could break someone's opendmarc setup, because now reinstalling
acct-user/milter will reset all of the settings for its user (see
the mythtv thread from today about this).
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-15 5:20 ` Michael Orlitzky
@ 2019-12-15 14:46 ` Ralph Seichter
2019-12-15 14:51 ` Ralph Seichter
2019-12-15 23:18 ` Michael Orlitzky
0 siblings, 2 replies; 8+ messages in thread
From: Ralph Seichter @ 2019-12-15 14:46 UTC (permalink / raw
To: gentoo-dev
* Michael Orlitzky:
> (a) we still have a dumb security vulnerability, in that these daemons
> can modify each others' files
That vulnerability has existed as long as the second package came around
and re-used the "milter" user, and to my knowledge nothing bad has come
of it so far.
I have an open PR[1] that the QA checks on GitHub will not allow to pass
unless I migrate milter-regex to using acct-* instead of user.eclass, so
that is what I did.
[1] https://github.com/gentoo/gentoo/pull/13964
> (b) you have to be careful not to do anything in acct-user/milter that
> could break someone's opendmarc setup
Milter-regex only needs a user to isolate the process and it's single
configuration file (/etc/milter-regex.conf). My PR adds acct-user/milter
without a home directory, because milter-regex does not need one, nor
does it write anything to disk. It is designed to hold everything in
memory only.
Could that lack of a home directory hurt OpenDMARC? I use OpenDMARC and
milter-regex on the same servers and did not run into problems.
-Ralph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-15 14:46 ` Ralph Seichter
@ 2019-12-15 14:51 ` Ralph Seichter
2019-12-15 23:18 ` Michael Orlitzky
1 sibling, 0 replies; 8+ messages in thread
From: Ralph Seichter @ 2019-12-15 14:51 UTC (permalink / raw
To: gentoo-dev
> Milter-regex only needs a user to isolate the process and it's single
> configuration file (/etc/milter-regex.conf).
I forgot to mention:
$ ls -l /etc/milter-regex.conf
-rw-r--r-- 1 root root 2.3K Dec 14 22:13 /etc/milter-regex.conf
Owned by root, world-readable because nothing sensitive is configured,
so I see no security risk (from the POV of milter-regex) in regards to
this config file.
-Ralph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-15 14:46 ` Ralph Seichter
2019-12-15 14:51 ` Ralph Seichter
@ 2019-12-15 23:18 ` Michael Orlitzky
2019-12-16 13:55 ` Ralph Seichter
1 sibling, 1 reply; 8+ messages in thread
From: Michael Orlitzky @ 2019-12-15 23:18 UTC (permalink / raw
To: gentoo-dev
On 12/15/19 9:46 AM, Ralph Seichter wrote:
>
> Milter-regex only needs a user to isolate the process and it's single
> configuration file (/etc/milter-regex.conf). My PR adds acct-user/milter
> without a home directory, because milter-regex does not need one, nor
> does it write anything to disk. It is designed to hold everything in
> memory only.
Right, this is what I was anticipating.
> Could that lack of a home directory hurt OpenDMARC? I use OpenDMARC and
> milter-regex on the same servers and did not run into problems.
That's what I don't know. I think it's unlikely that OpenDMARC's user
needs a home directory, but the daemon may expect /var/lib/milter to be
writable and currently that happens as a side effect of the enewuser
call. If acct-user/milter (with no home directory) is installed first,
then /var/lib/milter won't exist and be writable.
You might also affect people who have modified their OpenDMARC user's
home directory or shell, if there's any reason to do that. Michał
already posted the solution to that problem (override acct-user/milter
in an overlay), but if that happens then people will be overriding one
daemon's user to keep another unrelated daemon working -- not very
aesthetically pleasing.
tl;dr if I were you I would rather not have to worry about any of this.
I'm sure someone will object to the name acct-user/_milter-regex, but
that would be the easiest option, being the upstream default. It's also
unlikely that someone will try to repurpose that user for another milter
in the future, putting us back in the same situation as we are with
OpenDMARC today.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
2019-12-15 23:18 ` Michael Orlitzky
@ 2019-12-16 13:55 ` Ralph Seichter
0 siblings, 0 replies; 8+ messages in thread
From: Ralph Seichter @ 2019-12-16 13:55 UTC (permalink / raw
To: gentoo-dev
* Michael Orlitzky:
> I'm sure someone will object to the name acct-user/_milter-regex, but
> that would be the easiest option, being the upstream default.
Admittedly, _milter-regex makes me wince. It displeases my sense of
aesthetics and affects sorting order in acct-*. I'd like to lose the
underscore, and I'd be willing to tweak mail-filter/milter-regex to
change Gentoo's default to milter-regex as well.
"Everybody benefits!" (Markos, The Con of Kos)
-Ralph
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-12-16 13:55 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-13 21:17 [gentoo-dev] RFC: acct-{user,group} for milter (438) Ralph Seichter
2019-12-15 4:36 ` Michael Orlitzky
2019-12-15 4:53 ` Ralph Seichter
2019-12-15 5:20 ` Michael Orlitzky
2019-12-15 14:46 ` Ralph Seichter
2019-12-15 14:51 ` Ralph Seichter
2019-12-15 23:18 ` Michael Orlitzky
2019-12-16 13:55 ` Ralph Seichter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox