Jonathan Steinert wrote:
Jonathan Steinert wrote:
> The patch below may not be perfect, but it does set the user and group
down when you start as root and supply the right arguments.
TMTOWTDI
--Jonathan Steinert
... and it wasn't perfect, didn't even work completely. Thanks to Dieter
for pointing out that I need to setgid before I setuid, and several
other crazy things I did.
Here is a diff of the corrected version. It also bails if the
setuid/setgid fails.
Here's a patch to spfd that I am currently using, if anyone is
interested. It is based on Jonathan's version (spfd.v2 below).
It sets the permissions "correctly" on the unix socket, using -user and
-group. It also makes the permissions on the socket 660. This patch will
help to support the _exim_ spf acl that David Saez wrote, that appears
to be working great, now that my socket permissions are ok.
I start it like so...
# /usr/local/bin/spfd -path=/tmp/spfd -user=mailnull -group=mail &
--- spfd.v2 Wed Dec 17 07:47:49 2003
+++ spfd Wed Dec 17 09:50:24 2003
@@ -3,9 +3,6 @@
eval 'exec /usr/local/bin/perl -sw -S $0 ${1+"$@"}'
if 0; # not running under some shell
-
-#!/usr/bin/perl -sw
-
# simple forking daemon to provide SPF services
# mengwong+spf(_at_)pobox(_dot_)com
# Tue Oct 28 00:46:44 EST 2003
@@ -14,9 +11,11 @@
#
# or use Mail::Postfix::Attr to query spfd over a unix domain socket.
#
-# ./spfd -port=5970 # inet socket
-# ./spfd -path=/var/spfd # unix domain socket
-#
+# ./spfd -port=5970 # inet socket
+# ./spfd -path=/var/spfd # unix domain socket
+# [-user=(uid|username)] #setuid user for process if using inet socket
+# # or chown if using unix-socket
+# [-group=(gid|groupname)] # as above, but with group
use Mail::SPF::Query;
use Socket;
@@ -41,20 +40,22 @@
exit 1;
}
-if ($group) {
- if ($group =~ /\D/) {
- $group = getgrnam($group) || die "Group: $group not found\n";
- }
+if ($group =~ /\D/) {
+ $group = getgrnam($group) || die "Group: $group not found\n";
+}
+
+if ($port and $group) {
$( = $) = $group;
unless ($( == $) and $( == $group) {
die( "setgid($group) call failed: $!\n" );
}
}
-if ($user) {
- if ($user =~ /\D/) {
- $user = getpwnam($user) || die "User: $user not found\n";
- }
+if ($user =~ /\D/) {
+ $user = getpwnam($user) || die "User: $user not found\n";
+}
+
+if ($port and $user) {
$< = $> = $user;
unless ($< == $> and $< == $user) {
die( "setuid($user) call failed: $!\n" );
@@ -89,8 +90,14 @@
my $server = $sock_type eq "inet" ? IO::Socket::INET->new(@args) :
IO::Socket::UNIX->new(@args);
if ($path) {
- # fixup perms so local users can read/write to the unix socket
- chmod 0666, $path or die "Cannot fixup perms on $path -- $!";
+ if ($group and $user) {
+ chown $user, $group, $path or die "Cannot chown $user, $group on
$path -- $!";
+
+ } elsif ($user) {
+ chown $user, -1, $path or die "Cannot chown $user on $path --
$!";
+ }
+ # fixup perms so that our user/group can read/write to the unix socket
+ chmod 0660, $path or die "Cannot fixup perms on $path -- $!";
}
DEBUG and print "$$: server is $server\n";
--
=> Mark Foster <mark(_at_)foster(_dot_)cc> http://mark.foster.cc/
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡