commit: c8fe3982751aa4881b42f89ed080b210c4529c81
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 17 15:09:21 2018 +0000
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 23:23:57 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8fe3982
mail-filter/amavisd-new: new version 2.11.1.
A mostly standard version bump (bug 668494) with some improvements and
bug fixes piled on:
* The sys-apps/file dependency is replaced by dev-perl/File-LibMagic
to improve performance a bit (bug 592802).
* New user creation has been moved to pkg_setup(). This allows us to
set permissions and ownership properly in src_install(), so that
we don't have to "fix" them later and cause big ol' security
problems (bug 630836).
* The OpenRC service script has been rewritten to use start-stop-daemon.
This fixes outstanding bugs 507352, 634860, and 646336.
* The systemd service dependencies have been updated (bug 581452). We
never really needed spamassassin (spamd) at all, and we shouldn't fail
to start if postfix/clamav are absent entirely.
* As part of the previous item, removed two failing "sed" calls
(that were missing die() statements!) intended to modify a service
file that no longer lives where it used to.
Thanks are due to,
* Marcin Mirosław who reported an OpenRC issue,
* Nick Wiltshire for reporting and testing the OpenRC fixes,
* Robin Lutz for reporting the OpenRC restart issue,
* Timo Rothenpieler for reporting the systemd dependency issue.
Bug: https://bugs.gentoo.org/630836
Closes: https://bugs.gentoo.org/507352
Closes: https://bugs.gentoo.org/581452
Closes: https://bugs.gentoo.org/592802
Closes: https://bugs.gentoo.org/634860
Closes: https://bugs.gentoo.org/646336
Closes: https://bugs.gentoo.org/668494
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
mail-filter/amavisd-new/Manifest | 1 +
...-2.11.0-r4.ebuild => amavisd-new-2.11.1.ebuild} | 68 ++++++++++++----------
mail-filter/amavisd-new/files/amavisd.initd-r2 | 42 +++++++++++++
mail-filter/amavisd-new/files/amavisd.service-r1 | 21 +++++++
4 files changed, 101 insertions(+), 31 deletions(-)
diff --git a/mail-filter/amavisd-new/Manifest b/mail-filter/amavisd-new/Manifest
index 44fb609486f..7b3a4228338 100644
--- a/mail-filter/amavisd-new/Manifest
+++ b/mail-filter/amavisd-new/Manifest
@@ -1 +1,2 @@
+DIST amavis-amavisd-new-2.11.1.tar.gz 1093467 BLAKE2B
1e43ddea86ff269b02cbbcd125d913c51b66728b1063cde6ca3f3f24f1bd36f9f3c7f51a8baf509d2aca0d41a07a00bb9abe08dd70724391c552634715d01a75
SHA512
6ef291868908bd13d6ce913f5c8c3898b35eba490877e8eded3951a32be7549145df5db1409f124a3631ec88dd7eeb9457ce2b063ae3e3bccd76cc2a9b8741ae
DIST amavisd-new-2.11.0.tar.xz 780548 BLAKE2B
59cea5219a737275411c08c7d137ff2109ebbfee8f5f567d80e0cd73cfbb22887dd186383bfd02ad9880e099e0c06b829de43b9e12dbc3151813533166e51654
SHA512
a33292c976abf54db9475392069658c926e7a6f11a4970bbe353b34b3343388bc83b40eda4729f8efa735a3a6e23fd1ed83487f6f7ccf1e9f0903220e6d26957
diff --git a/mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild
b/mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild
similarity index 79%
rename from mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild
rename to mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild
index 0efc27e6454..3b4205bb331 100644
--- a/mail-filter/amavisd-new/amavisd-new-2.11.0-r4.ebuild
+++ b/mail-filter/amavisd-new/amavisd-new-2.11.1.ebuild
@@ -1,13 +1,12 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit systemd user
-MY_P="${P/_/-}"
DESCRIPTION="High-performance interface between the MTA and content checkers"
-HOMEPAGE="https://www.ijs.si/software/amavisd/";
-SRC_URI="https://www.ijs.si/software/amavisd/${MY_P}.tar.xz";
+HOMEPAGE="https://gitlab.com/amavis/amavis";
+SRC_URI="${HOMEPAGE}/-/archive/${P}/amavis-${P}.tar.gz"
PORTAGE_DOHTML_WARN_ON_SKIPPED_FILES=yes
LICENSE="GPL-2 BSD-2"
@@ -51,7 +50,7 @@ RDEPEND="${DEPEND}
>=virtual/perl-Time-HiRes-1.49
dev-perl/Unix-Syslog
dev-perl/Net-LibIDN
- sys-apps/file
+ dev-perl/File-LibMagic
>=sys-libs/db-4.4.20
dev-perl/BerkeleyDB
dev-perl/Convert-BinHex
@@ -70,7 +69,14 @@ RDEPEND="${DEPEND}
zmq? ( dev-perl/ZMQ-LibZMQ3 )"
AMAVIS_ROOT="/var/amavis"
-S="${WORKDIR}/${MY_P}"
+S="${WORKDIR}/amavis-${P}"
+
+pkg_setup() {
+ # Create the user beforehand so that we can install the config file
+ # (and some directories) with group "amavis" in src_install().
+ enewgroup amavis
+ enewuser amavis -1 -1 "${AMAVIS_ROOT}" amavis
+}
src_prepare() {
# amavisd-new version 2.11.0 breaks DKIM signing of outbound mail,
@@ -103,8 +109,9 @@ src_prepare() {
if ! use spamassassin ; then
sed -i -e \
"/^#[[:space:]]*@bypass_spam_checks_maps[[:space:]]*=[[:space:]]*(1)/s/^#//" \
- "${S}/amavisd.conf" || die "missing conf file -
sa"
+ "${S}/amavisd.conf" || die "missing conf file - sa"
fi
+
eapply_user
}
@@ -125,21 +132,32 @@ src_install() {
newinitd "${FILESDIR}"/amavis-mc.initd amavis-mc
fi
+ if use ldap ; then
+ dodir /etc/openldap/schema
+ insinto /etc/openldap/schema
+ newins LDAP.schema ${PN}.schema || die
+ fi
+
+ # The config file should be root:amavis so that the amavis user can
+ # read (only) it after dropping privileges. And of course he should
+ # own everything in his home directory.
insinto /etc
- insopts -m0640
+ insopts -m0640 -g amavis
doins amavisd.conf
- newinitd "${FILESDIR}/amavisd.initd-r1" amavisd
+ # Implementation detail? Keepdir calls dodir under the hood.
+ diropts -o amavis -g amavis
+ keepdir "${AMAVIS_ROOT}"/{,db,quarantine,tmp,var}
- systemd_dounit "${FILESDIR}/amavisd.service"
- use clamav || sed -i -e '/Wants=clamd/d'
"${ED}"/usr/lib/systemd/system/amavisd.service
- use spamassassin || sed -i -e '/Wants=spamassassin/d'
"${ED}"/usr/lib/systemd/system/amavisd.service
+ # BEWARE:
+ #
+ # Anything below this line is using the mangled insopts/diropts from
+ # above!
+ #
- keepdir "${AMAVIS_ROOT}"
- keepdir "${AMAVIS_ROOT}/db"
- keepdir "${AMAVIS_ROOT}/quarantine"
- keepdir "${AMAVIS_ROOT}/tmp"
- keepdir "${AMAVIS_ROOT}/var"
+ newinitd "${FILESDIR}/amavisd.initd-r2" amavisd
+
+ systemd_dounit "${FILESDIR}/amavisd.service-r1"
dodoc AAAREADME.first INSTALL MANIFEST RELEASE_NOTES TODO \
amavisd.conf-default amavisd-custom.conf
@@ -155,18 +173,11 @@ src_install() {
docinto test-messages
dodoc test-messages/README
dodoc test-messages/sample.tar.gz.compl
-
- if use ldap ; then
- dodir /etc/openldap/schema
- insinto /etc/openldap/schema
- insopts -o root -g root -m 644
- newins LDAP.schema ${PN}.schema || die
- fi
}
pkg_preinst() {
- enewgroup amavis
- enewuser amavis -1 -1 "${AMAVIS_ROOT}" amavis
+ # TODO: the following is done as root, but should probably be done
+ # as the amavis user.
if use razor ; then
if [ ! -d "${ROOT}${AMAVIS_ROOT}/.razor" ] ; then
elog "Setting up initial razor config files..."
@@ -177,8 +188,3 @@ pkg_preinst() {
fi
fi
}
-
-pkg_postinst() {
- chown root:amavis "${ROOT}/etc/amavisd.conf"
- chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}"
-}
diff --git a/mail-filter/amavisd-new/files/amavisd.initd-r2
b/mail-filter/amavisd-new/files/amavisd.initd-r2
new file mode 100644
index 00000000000..2e58bf9b7a9
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavisd.initd-r2
@@ -0,0 +1,42 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands="reload"
+command="/usr/sbin/${RC_SVCNAME}"
+pidfile="/run/${RC_SVCNAME}.pid"
+
+# Why run in the foreground? Typically amavisd will drop privileges
+# and then write its own PID file in its home directory. This is fine
+# so long as you use e.g. "amavisd stop" to stop the daemon. But, we
+# want to use start-stop-daemon to do it. And start-stop-daemon will
+# send a signal *as root* to the PID contained in the PID file. So, we
+# don't want to rely on a PID file that's controlled by a non-root
+# user.
+#
+# As a workaround, we run amavisd in the foreground, and let
+# start-stop-daemon push it into the background with its own PID
+# file. We don't pass "-P" via command_args below because we don't
+# want amavisd to try (and fail) to create that PID file. This does
+# mean that you can't run "amavisd stop" or "amavisd reload" directly;
+# sorry!
+command_args="foreground"
+command_background="true"
+
+# The amavisd daemon provides its own "stop" and "reload" functions,
+# but if you read into the source, they just do what start-stop-daemon
+# is going to do anyway. The "stop" command for amavisd will send a
+# SIGTERM immediately, and then a SIGKILL after 60 seconds. So, we do
+# that too. The "reload" command sends a SIGHUP; see reload() below.
+retry="SIGTERM/15 SIGKILL/60"
+
+depend() {
+ use net logger antivirus snmpd
+ before mta
+}
+
+reload() {
+ ebegin "Reloading ${RC_SVCNAME}"
+ start-stop-daemon --signal HUP --pidfile "${pidfile}"
+ eend $?
+}
diff --git a/mail-filter/amavisd-new/files/amavisd.service-r1
b/mail-filter/amavisd-new/files/amavisd.service-r1
new file mode 100644
index 00000000000..03871285355
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavisd.service-r1
@@ -0,0 +1,21 @@
+[Unit]
+Description=Amavisd Daemon
+Before=postfix.service
+After=clamd.service
+After=network.target
+
+[Service]
+User=amavis
+Group=amavis
+ExecStart=/usr/sbin/amavisd -c /etc/amavisd.conf foreground
+ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload
+PrivateTmp=true
+CapabilityBoundingSet=
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectHome=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
