From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id iO9oLiWE4l5SfgAA0tVLHw (envelope-from ) for ; Thu, 11 Jun 2020 19:21:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YEZDKiWE4l4sIAAA1q6Kng (envelope-from ) for ; Thu, 11 Jun 2020 19:21:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F039694036C for ; Thu, 11 Jun 2020 19:21:08 +0000 (UTC) Received: from localhost ([::1]:36754 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jjSl8-0005AN-UP for larch@yhetil.org; Thu, 11 Jun 2020 15:21:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39920) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jjSl4-00059V-Ia for guix-patches@gnu.org; Thu, 11 Jun 2020 15:21:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54777) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jjSl4-0003sh-4y for guix-patches@gnu.org; Thu, 11 Jun 2020 15:21:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jjSl4-0005TK-1D for guix-patches@gnu.org; Thu, 11 Jun 2020 15:21:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl utility. Resent-From: Christopher Baines Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jun 2020 19:21:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41763 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: maxim.cournoyer@gmail.com Cc: 41763@debbugs.gnu.org Received: via spool by 41763-submit@debbugs.gnu.org id=B41763.159190321620947 (code B ref 41763); Thu, 11 Jun 2020 19:21:01 +0000 Received: (at 41763) by debbugs.gnu.org; 11 Jun 2020 19:20:16 +0000 Received: from localhost ([127.0.0.1]:38087 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jjSkJ-0005Rn-Pv for submit@debbugs.gnu.org; Thu, 11 Jun 2020 15:20:15 -0400 Received: from mira.cbaines.net ([212.71.252.8]:59992) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jjSkH-0005Re-FK for 41763@debbugs.gnu.org; Thu, 11 Jun 2020 15:20:14 -0400 Received: from localhost (unknown [46.237.175.96]) by mira.cbaines.net (Postfix) with ESMTPSA id 1FBCF27BBE1; Thu, 11 Jun 2020 20:20:12 +0100 (BST) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id a7c50112; Thu, 11 Jun 2020 19:20:08 +0000 (UTC) References: <87eeqpih6q.fsf@hurd.i-did-not-set--mail-host-address--so-tickle-me> User-agent: mu4e 1.2.0; emacs 26.3 From: Christopher Baines In-reply-to: <87eeqpih6q.fsf@hurd.i-did-not-set--mail-host-address--so-tickle-me> Date: Thu, 11 Jun 2020 20:20:06 +0100 Message-ID: <87v9jx8l5l.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: +z1vMY9T8izx --=-=-= Content-Type: text/plain maxim.cournoyer@gmail.com writes: > The following patches provide a mean to specify a user and group for a > setuid program, and uses that to fix a setgid permission issue in the > context of the opensmtpd service. > > Christopher, you should be able to leverage this new facility to > configure the uid/gid of the sendmail program to that of the smtpq user, > like this: > > --8<---------------cut here---------------start------------->8--- > (operating-system) > [...] > (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq") > %setuid-programs)) > --8<---------------cut here---------------end--------------->8--- > > The smtpq user is created as part of the OpenSMTPD service definition. > > Thank you, > > > Maxim Well, thank you for looking in to this Maxim. I've had a brief look through the patches, although I don't know enough about this area to comment properly on them. I wonder if it's worth using a record type to make it possible to pass the user and group values to the service. That would probably result in more readable configuration than just using a list of varying length. Specifically on the diff: - (list #$@programs)))))) + (quote (#$@programs))))))) This change here will mean that you can't pass some values in, as they won't be evaluated. #~(string-append sendmail "/usr/sbin/sendmail") would no longer work for example. Thanks again, Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl7ig+ZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE 9XfQ5w//TdCjyIV7Il7qPxVxVkms4DPVxiCBM7owp8+Pd7alvSs1RucW/ItAJFGJ cqiOpK52A9TOQ6Nn5RgWvKR9F4LVQ/kg8kLEWsTtjAetoQU5fv5MnraN8q7Jkeej PZtFj1h5HoBbVVxPSNcMVsX/l2WwrLZ0GzdNDYTH5PPovlMFSL1Vr1CEe8mvDAnL LJ8znjXz149b9DS+aqWx+SOFyR3e+6cNdyfVIe0tFlum+QjIUXt+9iCr1RVc2WJB QKPPCabnzyVuSz8p7pQHoUlxgO+9hDmoZKPVeZQ4NuzBLqZ4Jqzyc+2ydg8nKcBJ 58GcTmZUrd/QmSpzZpJWw6ljhhY0iapGeVKI+x+sHrXIepVLw3Vh50exOCvSYMit HBJ7C4qRFmQZ/I+9CuyHHdCJGWftre0s0nQf8jaEkRoFeuI2uOqQKP3O2TsQKlRN j1wZy8zRxT1XIITtyl8r7s3/LANUCj6PSXvOrKAeWuBT8CuHxXjekywuIHw1fU2X Xp8SVuC8hVsoFisR6N+zJrg7EkPolyQsjw5a3TIxW1/aVuMXvro8ptVsika6bExJ j/vGYHT7jtmdQoKNNTPfkPYyvPnSAFjUx/V273uaH1Z802Bm398qqwVEwr8V9Qf4 9JOCiJ48svqO5zrrjJuoajLjo7/v/X1bdUNL8C0qg5B8YweeEY8= =5aP7 -----END PGP SIGNATURE----- --=-=-=--