From 07557014e272d7cbd29036037189e5c724d96697 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 8 Nov 2017 00:58:10 +0100 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- conf.d/spamd | 17 +++-- group | 1 + group- | 2 +- gshadow | 1 + gshadow- | 2 +- init.d/spamd | 65 +++++++------------ passwd | 1 + passwd- | 1 + shadow | 1 + shadow- | 1 + .../spamassassin.service.d/00gentoo.conf | 10 +-- 11 files changed, 44 insertions(+), 58 deletions(-) diff --git a/conf.d/spamd b/conf.d/spamd index 0cb7cbbf..b7b46f32 100644 --- a/conf.d/spamd +++ b/conf.d/spamd @@ -1,13 +1,8 @@ -# Config file for /etc/init.d/spamd -# # ***WARNING*** # -# spamd was not designed to listed to an untrusted network. spamd -# is vulnerable to DoS attacks (and eternal doom) if used to listen -# to an untrusted network. +# The spamd daemon must not run on an untrusted network. # # ***WARNING*** -# # Additional options to pass to the spamd daemon. The spamd(1) man # page explains the available options. If you choose to listen on a @@ -23,3 +18,13 @@ SPAMD_NICELEVEL=0 # asked it to? After this amount of time, if spamd is still running, # we will assume that it has failed to stop. SPAMD_TIMEOUT=15 + +# Do you want to run spamd as root? If you have local users storing their +# personal configurations (or bayes databases) in ~/.spamassassin, then you +# may want to run spamd as root so that it can setuid to each user while +# processing his spam. (That way, you don't have to grant the "spamd" user +# individual permissions to everyone's ~/.spamassassin directory.) +# +# On the other hand, if you don't store any per-user configuration on +# the filesystem, then you should leave this alone. +SPAMD_RUN_AS_ROOT=false diff --git a/group b/group index c5f585a3..ae7be688 100644 --- a/group +++ b/group @@ -91,3 +91,4 @@ tss:x:966: groonga:x:965: systemd-coredump:x:964: plex:x:963: +spamd:x:137: diff --git a/group- b/group- index 4b37e80c..c5f585a3 100644 --- a/group- +++ b/group- @@ -16,7 +16,7 @@ console:x:17: audio:x:18:pulse,frank,heiko,patrick,vivi,doris,robert,steffen,gast cdrom:x:19:frank,heiko,patrick,vivi,doris,robert,steffen tape:x:26:root -video:x:27:root,frank,heiko,patrick,vivi,doris,robert,steffen,gdm,gast +video:x:27:root,frank,heiko,patrick,vivi,doris,robert,steffen,gdm,gast,plex cdrw:x:80: usb:x:85: users:x:100: diff --git a/gshadow b/gshadow index fcb003a5..cbd77b96 100644 --- a/gshadow +++ b/gshadow @@ -89,3 +89,4 @@ tss:!:: groonga:!:: systemd-coredump:!:: plex:!:: +spamd:!:: diff --git a/gshadow- b/gshadow- index df2ab1a8..fcb003a5 100644 --- a/gshadow- +++ b/gshadow- @@ -16,7 +16,7 @@ console::: audio:::pulse,gast cdrom::: tape:::root -video:::root,gdm,gast +video:::root,gdm,gast,plex cdrw::: usb::: users::: diff --git a/init.d/spamd b/init.d/spamd index 1e8bae47..c704782f 100755 --- a/init.d/spamd +++ b/init.d/spamd @@ -1,55 +1,38 @@ #!/sbin/openrc-run -# Copyright 1999-2016 Gentoo Foundation +# Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -PIDDIR=/run/spamd -PIDFILE=${PIDDIR}/spamd.pid +command="/usr/sbin/spamd" +pidfile="/run/spamd.pid" +command_args="--pidfile=${pidfile} ${SPAMD_OPTS}" +command_args_background="--daemonize" -extra_started_commands="reload" - -depend() { - before mta - use logger - use postgresql - use mysql -} - -start() { - ebegin "Starting spamd" +if ! [ "${SPAMD_RUN_AS_ROOT}" = "true" ]; then + # Passing --username=root to spamd kills it, so if SPAMD_RUN_AS_ROOT + # is true, then we want to pass no user/group command args at all. + # Any value other than "true" gets the default user/group of "spamd". + command_args="${command_args} --username=spamd --groupname=spamd" +fi - # Ensure that the PID file's directory exists. - checkpath --directory "${PIDDIR}" +: ${SPAMD_NICELEVEL:=0} +start_stop_daemon_args="--nicelevel ${SPAMD_NICELEVEL}" - # Reloading spamd causes its PID to change, so we track it by - # name instead. - start-stop-daemon --start --quiet \ - --name spamd \ - --nicelevel ${SPAMD_NICELEVEL} \ - --pidfile ${PIDFILE} \ - --exec /usr/sbin/spamd -- \ - --daemonize \ - --pidfile=${PIDFILE} \ - ${SPAMD_OPTS} +# Retry after SPAMD_TIMEOUT seconds because spamd can take a +# while to kill off all of its children. This was bug 322025. +: ${SPAMD_TIMEOUT:=15} +retry="${SPAMD_TIMEOUT}" - retval=$? - - eend ${retval} "Failed to start spamd" -} +extra_started_commands="reload" -stop() { - ebegin "Stopping spamd" - # Retry after SPAMD_TIMEOUT seconds because spamd can take a - # while to kill off all of its children. This was bug 322025. - start-stop-daemon --stop \ - --quiet \ - --retry ${SPAMD_TIMEOUT} \ - --pidfile ${PIDFILE} - eend $? "Failed to stop spamd" +depend() { + before mta + use logger mysql postgres } reload() { ebegin "Reloading configuration" - # Warning: causes the PID of the spamd process to change. - start-stop-daemon --signal HUP --quiet --pidfile ${PIDFILE} + # Warning: reload causes the PID of the spamd process to + # change, but spamd does update its PID file afterwards. + start-stop-daemon --signal HUP --pidfile "${pidfile}" eend $? } diff --git a/passwd b/passwd index 6faa266c..f31be224 100644 --- a/passwd +++ b/passwd @@ -73,3 +73,4 @@ groonga:x:134:965:added by portage for groonga:/dev/null:/sbin/nologin systemd-coredump:x:135:964:added by portage for systemd:/dev/null:/sbin/nologin gast:x:1124:100:Gastnutzer:/home/gast:/bin/bash plex:x:136:963:added by portage for plex-media-server:/var/lib/plexmediaserver:/bin/bash +spamd:x:137:137:added by portage for spamassassin:/home/spamd:/sbin/nologin diff --git a/passwd- b/passwd- index e288b30c..6faa266c 100644 --- a/passwd- +++ b/passwd- @@ -72,3 +72,4 @@ tss:x:133:966:added by portage for trousers:/var/lib/tpm:/sbin/nologin groonga:x:134:965:added by portage for groonga:/dev/null:/sbin/nologin systemd-coredump:x:135:964:added by portage for systemd:/dev/null:/sbin/nologin gast:x:1124:100:Gastnutzer:/home/gast:/bin/bash +plex:x:136:963:added by portage for plex-media-server:/var/lib/plexmediaserver:/bin/bash diff --git a/shadow b/shadow index baed7fff..d25a5f37 100644 --- a/shadow +++ b/shadow @@ -72,3 +72,4 @@ groonga:!:17249:::::: systemd-coredump:!:17302:::::: gast:$6$YvNBr9hC$KQPyvJrvdrABSFCxXVMc3sGMeq8dToHzjJuKvzmyQFjYAwmSHcXyuqLy3IxaWeAEsJZxvOXFivkISk2hJ0ucS0:17320:0:99999:7::: plex:!:17477:::::: +spamd:!:17477:::::: diff --git a/shadow- b/shadow- index 37493145..baed7fff 100644 --- a/shadow- +++ b/shadow- @@ -71,3 +71,4 @@ tss:!:16998:::::: groonga:!:17249:::::: systemd-coredump:!:17302:::::: gast:$6$YvNBr9hC$KQPyvJrvdrABSFCxXVMc3sGMeq8dToHzjJuKvzmyQFjYAwmSHcXyuqLy3IxaWeAEsJZxvOXFivkISk2hJ0ucS0:17320:0:99999:7::: +plex:!:17477:::::: diff --git a/systemd/system/spamassassin.service.d/00gentoo.conf b/systemd/system/spamassassin.service.d/00gentoo.conf index 9fc1f629..442dde44 100644 --- a/systemd/system/spamassassin.service.d/00gentoo.conf +++ b/systemd/system/spamassassin.service.d/00gentoo.conf @@ -1,10 +1,2 @@ -# Here you can append some options to spamd process, please -# double check that you make needed changes in service file if -# you use options requiring it -# Some options: -# -# -c to create a per user configuration file -# -H [dir] to switch home dirs for helper apps, dir optional - [Service] -Environment="SPAMD_OPTS= -c -H" +Environment="SPAMD_OPTS=--username=spamd --groupname=spamd --max-children=5 --create-prefs --helper-home-dir" -- 2.39.5