Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
* Michael Orlitzky: > I'm sure someone will object to the name acct-user/_milter-regex, but > that would be the easiest option, being the upstream default. Admittedly, _milter-regex makes me wince. It displeases my sense of aesthetics and affects sorting order in acct-*. I'd like to lose the underscore, and I'd be willing to tweak mail-filter/milter-regex to change Gentoo's default to milter-regex as well. "Everybody benefits!" (Markos, The Con of Kos) -Ralph
Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
On 12/15/19 9:46 AM, Ralph Seichter wrote: > > Milter-regex only needs a user to isolate the process and it's single > configuration file (/etc/milter-regex.conf). My PR adds acct-user/milter > without a home directory, because milter-regex does not need one, nor > does it write anything to disk. It is designed to hold everything in > memory only. Right, this is what I was anticipating. > Could that lack of a home directory hurt OpenDMARC? I use OpenDMARC and > milter-regex on the same servers and did not run into problems. That's what I don't know. I think it's unlikely that OpenDMARC's user needs a home directory, but the daemon may expect /var/lib/milter to be writable and currently that happens as a side effect of the enewuser call. If acct-user/milter (with no home directory) is installed first, then /var/lib/milter won't exist and be writable. You might also affect people who have modified their OpenDMARC user's home directory or shell, if there's any reason to do that. MichaĆ already posted the solution to that problem (override acct-user/milter in an overlay), but if that happens then people will be overriding one daemon's user to keep another unrelated daemon working -- not very aesthetically pleasing. tl;dr if I were you I would rather not have to worry about any of this. I'm sure someone will object to the name acct-user/_milter-regex, but that would be the easiest option, being the upstream default. It's also unlikely that someone will try to repurpose that user for another milter in the future, putting us back in the same situation as we are with OpenDMARC today.
Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
> Milter-regex only needs a user to isolate the process and it's single > configuration file (/etc/milter-regex.conf). I forgot to mention: $ ls -l /etc/milter-regex.conf -rw-r--r-- 1 root root 2.3K Dec 14 22:13 /etc/milter-regex.conf Owned by root, world-readable because nothing sensitive is configured, so I see no security risk (from the POV of milter-regex) in regards to this config file. -Ralph
Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
* Michael Orlitzky: > (a) we still have a dumb security vulnerability, in that these daemons > can modify each others' files That vulnerability has existed as long as the second package came around and re-used the "milter" user, and to my knowledge nothing bad has come of it so far. I have an open PR[1] that the QA checks on GitHub will not allow to pass unless I migrate milter-regex to using acct-* instead of user.eclass, so that is what I did. [1] https://github.com/gentoo/gentoo/pull/13964 > (b) you have to be careful not to do anything in acct-user/milter that > could break someone's opendmarc setup Milter-regex only needs a user to isolate the process and it's single configuration file (/etc/milter-regex.conf). My PR adds acct-user/milter without a home directory, because milter-regex does not need one, nor does it write anything to disk. It is designed to hold everything in memory only. Could that lack of a home directory hurt OpenDMARC? I use OpenDMARC and milter-regex on the same servers and did not run into problems. -Ralph
Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
On 12/14/19 11:53 PM, Ralph Seichter wrote: Of the three packages you mentioned, milter-regex (not regex-milter) is the only one with a name that actually contains "milter". OpenDMARC should never have user a user named milter in the first place, and in the future it should use "opendmarc". Besides, since nobody has claimed group/user "milter" before me, I think this falls under first come, first serve. I agree that milter-regex has the strongest claim to the username. All I'm saying is that until opendmarc updates to GLEP81, changes its username, and all of its old versions have been purged from the tree... (a) we still have a dumb security vulnerability, in that these daemons can modify each others' files; and (b) you have to be careful not to do anything in acct-user/milter that could break someone's opendmarc setup, because now reinstalling acct-user/milter will reset all of the settings for its user (see the mythtv thread from today about this).
Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
* Michael Orlitzky: > I guess we could keep "milter" for only regex-milter, but that has the > disadvantage that it messes with the opendmarc package in the meantime. Of the three packages you mentioned, milter-regex (not regex-milter) is the only one with a name that actually contains "milter". OpenDMARC should never have user a user named milter in the first place, and in the future it should use "opendmarc". Besides, since nobody has claimed group/user "milter" before me, I think this falls under first come, first serve. -Ralph
Re: [gentoo-dev] RFC: acct-{user,group} for milter (438)
On 12/13/19 4:17 PM, Ralph Seichter wrote: The mail-filter/milter-regex ebuild already uses user/group 'milter', and for the currently open bump to version 2.7 I'd like to claim GID/UID 438. I recently cited the "milter" user on this list as a bad example from the user.eclass days... it was used by at least three unrelated packages: milter-regex, opendmarc, and opendkim. I fixed opendkim, of course, but it looks like opendmarc still uses "milter" as its user, too. Now would be a good time to switch them to unique accounts, since neither package should be able to access the other's files. The obvious choice for opendmarc is "opendmarc", and that's even what upstream defaults to -- we sed it to "milter" in Gentoo. I guess we could keep "milter" for only regex-milter, but that has the disadvantage that it messes with the opendmarc package in the meantime. Upstream uses "_milter-regex", and according to the PMS that's... actually... a legal package name? How do people feel about that? It's insane, for sure; but I'm too tired to tell if it's good insane or bad insane.
