This is the mail archive of the cygwin-apps mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Nov 17 14:00, Christian Franke wrote: > Hi Corinna, > > Corinna Vinschen wrote: > > Hi Christian, > > > > On Nov 13 23:48, Christian Franke wrote: > >> I would like to contribute the Postfix Mail Transfer Agent. > >> > >> http://www.postfix.org/ > >> > >> Download: > >> wget -e robots=off -np -nH --cut-dirs=1 -R'index.html*' -r \ > >> http://chrfranke.no-ip.org/cygwin/x86/release/postfix \ > >> http://chrfranke.no-ip.org/cygwin/x86_64/release/postfix > >> > >> Important: It requires cygwin 1.7.33-1 (or a recent 1.7.33-0.X test > >> release). It does not work with 1.7.32-1. > >> > >> For a first test try 'postfix-config --dryrun'. See the /etc/postfix/main.cf > >> sample for some more info. > > Packaging looks basically ok, but I see a few problems in > > postfix-config: > > > > - The script uses passwd -R without asking the admin. I'm not so sure > > that's feasible. The admin should have a say in the matter. > > I agree and will add a csih_request there. > > > > Also, is > > passwd -R really required? This is typically no necessary, unless you > > potentially have to do stuff with native Windows tools (cron, sshd > > session). Postfix doesn't seem to be a candidate for that. > > For example the postsuper admin tool always drops root permissions by > setuid/gid() to $mail_owner ('postfix') before doing anything interesting. > (postfix never uses chown(), BTW). > > Could this really be done without passwd -R or cyglsa ? Usually, yes. As a Cygwin tool without accessing native Windows functionality, it should not have a problem using https://cygwin.com/preliminary-ug/ntsec.html#ntsec-nopasswd1, unless it has to access network drives. > > - The script still accesses /etc/group and /etc/passwd, but it should > > not. For reading there's getent available for quite some time now. > > Creating accounts in /etc/passwd and /etc/group should depend on the > > Cygwin version. > > /etc/passwd is not accessed. Sorry, I misread /usr/bin/passwd as /etc/passwd :} > Yes, the first group 0 check should be replaced by getent, yes. Oh, hey, group 0 won't exist in a db-only scenario. When testing for the admins group, check for gid 544, or SID S-1-5-32-544 using getent. > The other /etc/group modifications were only added because csih lacks a > csih_create_local_group function. Well, ok, but it shouldn't add to /etc/group invariably. > > I prepared a matching function for testing this in > > csih, which looks like this: > > > > # Routine: csih_use_file_etc passwd|group > > # Check if /etc/passwd or /etc/group file is in use. > > # On Cygwin versions < 1.7.33, files are always used. > > # On Cygwin versions >= 1.7.33 it depends on /etc/nsswitch.conf. > > ... > > csih_use_file_etc() > > { > > ... > > } # === End of csih_use_file_etc() === # > > readonly -f csih_use_file_etc > > > > Maybe you could just copy the method for now until I get my lazy > > back to finish the work on csih? > > OK. > > If csih_use_file_etc returns false, all the script could do for now is > to refuse the creation of local users or groups. No. If `csih_use_file_etc group' fails, don't write the newly created group to /etc/group. Otherwise do. > The (files-only|non-domain|domain) complexity should be handled in csih, > IMO: Uhm... AFAICS it is. After checking or creating a user, the new incarnation of csih will have set three variables, either csih_PRIVILEGED_USERNAME csih_PRIVILEGED_USERWINNAME csih_PRIVILEGED_USERDOMAIN or csih_UNPRIVILEGED_USERNAME csih_UNPRIVILEGED_USERWINNAME csih_UNPRIVILEGED_USERDOMAIN so the calling script can just use the new name in whatever variation required. > > - I don't understand this one in create_postfix_accounts: > > > > if /usr/bin/find / -maxdepth 0 -group "$setgid_group" >/dev/null 2>&1; then > > [...] > > > > What are you looking for in /? > > Nothing :-) This fairly portable trick to check for group existence was > inherited from an older script. Should be replaced by getent, of course. Oh, ok. Yes, there's no guarantee that / is grp-owned by setgid_group. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
pgpnMY3WKVguG.pgp
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |