Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 172576 - net-mail/dovecot should preserve permissions of deliver
Summary: net-mail/dovecot should preserve permissions of deliver
Status: RESOLVED DUPLICATE of bug 141619
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-28 17:30 UTC by Láďa Durchánek
Modified: 2007-04-03 21:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Láďa Durchánek 2007-03-28 17:30:10 UTC 
I really do not know whether is this possible in Portage but i will try :-) Dovecot installs LDA called deliver to /usr/libexec/dovecot/deliver. In some circumstances (when using separate UIDs per mailbox/domain/whatever) you have to make it suid root. It is also wise to change permissions of deliver to be executable only by user running SMTP eg. postfix:postfix.
So it would be nice if ebuild preserve the permissions/ownership of this file.

I can also try to provide a patch if it is possible and someone give me a quick hint :-)

Reproducible: Always
Comment 1 Láďa Durchánek 2007-03-28 17:31:01 UTC 
Sorry, typo in subject.
Comment 2 Roy Marples (RETIRED) gentoo-dev 2007-03-28 20:34:32 UTC 
The suid USE flag now installs deliver suid.
It's up to you to manage more permissions.
Comment 3 Láďa Durchánek 2007-03-28 20:50:16 UTC 
Sorry, but I think that this is not a proper solution. Right solution would be to leave permissions/ownership of deliver untouched. Taken from Dovecot Wiki

"deliver isn't designed to be run as setuid-root, so you should take extra steps to make sure that untrusted users can't run it and potentially gain root privileges"

so there should be at least big ewarn about this and about changing permissions of deliver during update because it is making the Dovecot installation less secure (i think that users will not consider this as unneeded babysitting). As I already mentioned, I am free to make the patch if you think that it is possible.
Comment 4 Roy Marples (RETIRED) gentoo-dev 2007-03-29 00:31:36 UTC 
Yes, I did read that - however that is what you are asking, otherwise I can confused.

OK, given the current limitations of portage, the choices are

1) no choice, no suid
2) some choice - suid USE flag to make deliver suid.

Aside from that, patches to either the ebuild or portage are welcome.
Comment 5 Láďa Durchánek 2007-03-29 08:20:09 UTC 
Sorry for misunderstood, I was asking if it is possible to preserve permissions of "deliver" when old version is found (including owner and mode)? I do not know current limitations of Portage and that's why I was asking...
Comment 6 Roy Marples (RETIRED) gentoo-dev 2007-04-03 11:39:41 UTC 
I don't know of such a portage feature.

We would need one as the tools to work out group/owner of existing files are very much platform dependant (ie, the stat userland function)
Comment 7 Marius Mauch (RETIRED) gentoo-dev 2007-04-03 21:32:31 UTC 
Other than waiting for bug #141619 you could check the permissions of the existing binary in preinst and restore those permissions in postinst (but that's just a nasty workaround).

*** This bug has been marked as a duplicate of bug 141619 ***