Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: auth help (Jeffrey M. Vinocur)
2. Re: Odd issue with pod2man when building on Fedora build
server (Julien ?LIE)
3. Re: auth help (Edwardo Garcia)
----------------------------------------------------------------------
Message: 1
Date: Sun, 5 Oct 2014 13:00:25 -0400 (EDT)
From: "Jeffrey M. Vinocur" <[email protected]>
To: Edwardo Garcia <[email protected]>
Cc: [email protected]
Subject: Re: auth help
Message-ID: <[email protected]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Thu, 2 Oct 2014, Edwardo Garcia wrote:
> We are wish to move from domain access to username access, using pop3
> server, or mysql (mail server database) direct.
>
> Is there easy example on this way? We do not restrict groupsa, all
> ogin have full group rights.
Sure, start with readers.conf manpage, the only question will be if you
can find a direct way to interface INN to your password database (such as
PAM) or need to write a little wrapper to be in between.
> and can limit parallel login to 10?
This is a bit trickier depending on what you mean. Ten connections per
user?
--
Jeffrey M. Vinocur
[email protected]
------------------------------
Message: 2
Date: Sun, 05 Oct 2014 19:53:44 +0200
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: Odd issue with pod2man when building on Fedora build
server
Message-ID: <[email protected]>
Content-Type: text/plain; charset=UTF-8; format=flowed
Hi Russ,
>>> I suspect this is because INN is setuid. However, I don't think
>>> there's any reason not to build all of INN with -fPIE -pie if that's
>>> what you want (and likewise with other hardening flags), so I would
>>> just put that into CFLAGS during configure time.
>
>> Isn't there a risk that building with '-fPIE -pie' introduces
>> instability at runtime? I read at
>> <https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags>
>> that some code does not function properly when PIE is used. Probably
>> code that is position-dependant, but how can we be sure that no part of
>> INN uses that?
>
> My experience is that you'll know if this happens, since the binary will
> exit immediately with a bus error when run. I build all my packages for
> Debian with PIE by default now, and have only run into one package (GNU
> Backgammon) that didn't work, and I suspect that's because it has some
> assembly for speeding up some parts of the game engine. If you're writing
> straight C and not doing anything exciting, PIE really should work.
Looking at adding PIE to INN, I see:
http://mainisusuallyafunction.blogspot.fr/2012/05/automatic-binary-hardening-with.html
mentioning that PIE can lead to drastic slowdown. It could therefore be
problematic for news admins that care a lot about peering fast...
A few projets have added an --enable-gcc-hardening flag to use specific
hardening flags when building and linking.
Should we do the same for INN, for instance with a --with-hardening
configure flag?
Then we would enable it by default if gcc (or any compiler that makes
autoconf set $GCC to "yes") is used, and set relevant hardening flags.
If one does not want to use hardening, he would add the
--without-hardening flag to configure. Useful for instance to
deactivate that when building with clang; it sets $GCC to "yes" but does
not recognize all the flags (like -pie).
Does it sound the right thing to do to harden INN?
--
Julien ?LIE
? Internet restera toujours un joujou pour les universitaires. ?
(1991)
------------------------------
Message: 3
Date: Mon, 6 Oct 2014 21:32:59 +1000
From: Edwardo Garcia <[email protected]>
To: "Jeffrey M. Vinocur" <[email protected]>
Cc: [email protected]
Subject: Re: auth help
Message-ID:
<CANso6eFbm=rKoL=tqB+uXot13XOo=gAJ-t0z==7x_pqryqd...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
PAM? we do not use such a thing on our operating systems even, we use
mysql for all database user accessing
On 10/6/14, Jeffrey M. Vinocur <[email protected]> wrote:
> On Thu, 2 Oct 2014, Edwardo Garcia wrote:
>
>> We are wish to move from domain access to username access, using pop3
>> server, or mysql (mail server database) direct.
>>
>> Is there easy example on this way? We do not restrict groupsa, all
>> ogin have full group rights.
>
> Sure, start with readers.conf manpage, the only question will be if you
> can find a direct way to interface INN to your password database (such as
> PAM) or need to write a little wrapper to be in between.
>
>
>> and can limit parallel login to 10?
>
> This is a bit trickier depending on what you mean. Ten connections per
> user?
>
>
> --
> Jeffrey M. Vinocur
> [email protected]
>
------------------------------
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
End of inn-workers Digest, Vol 65, Issue 2
******************************************
