 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
19 messages in net.sourceforge.lists.courier-users[courier-users] Re: Courier-MTA on Fr...| From | Sent On | Attachments |
|---|---|---|
| Yarema | Oct 16, 2001 12:56 pm | |
| Tom Hukins | Oct 16, 2001 2:37 pm | |
| Edwin Culp | Oct 16, 2001 4:39 pm | |
| Yarema | Oct 18, 2001 2:18 am |  .makefile |
| Sam Varshavchik | Oct 18, 2001 4:51 am | |
| Yarema | Oct 18, 2001 7:02 am | |
| Roland Schneider | Oct 18, 2001 8:54 am | |
| Sam Varshavchik | Oct 18, 2001 3:53 pm | |
| Sam Varshavchik | Oct 18, 2001 3:53 pm | |
| Yarema | Oct 18, 2001 5:33 pm | |
| Sam Varshavchik | Oct 18, 2001 6:31 pm | |
| Neil Blakey-Milner | Oct 19, 2001 12:16 am | |
| Roland Schneider | Oct 21, 2001 9:28 am | |
| Sam Varshavchik | Oct 21, 2001 10:26 am | |
| Roland Schneider | Oct 21, 2001 1:13 pm | |
| Sam Varshavchik | Oct 21, 2001 5:34 pm | |
| Yarema | Oct 24, 2001 6:36 am | |
| Sam Varshavchik | Oct 24, 2001 2:40 pm | |
| Yarema | Oct 24, 2001 4:22 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [courier-users] Re: Courier-MTA on FreeBSD | Actions... |
|---|---|---|
| From: | Sam Varshavchik (mrs...@courier-mta.com) | |
| Date: | Oct 18, 2001 4:51:58 am | |
| List: | net.sourceforge.lists.courier-users | |
Yarema writes:
OK, what I've got so far is a completed port of sysconftool which probably belongs in the devel section of FreeBSD ports. Recent Courier-MTA builds depend on it even though the INSTALL docs say that tarballs shouldn't have that dependency -- only CVS versions should. No matter, having
They don't. You do not need sysconftool to build out of a tarball.
courier/rootcerts dependency on the OpenSSL tools/c_rehash. On FreeBSD it does exist in /usr/src/crypto/openssl/tools/c_rehash source tree but is not installed as part of the base system. I've got a workaround for this but a better alternative would be for courier to include the Makefile which comes with Apache+mod_ssl to do the same thing that OpenSSL's
Use --without-rootcerts to avoid install the root SSL certs, which does not require c_rehash.
Unless there's a reason that I don't know yet I believe it's a mistake to install binaries owned by user or group courier or daemon or bin unless the corresponding suid or sgid bit are also set for that binary. I believe all binarries should be owned by root:wheel except the ones that need a suid or sgid bit set to a different user. This provides an extra layer of protection to the binaries since most of the system runs as an unprivileged user which cannot modify files owned by root.
That is incorrect. For most binaries it doesn't matter. But for many binaries and files it does matter, since several binaries are by design not executable by world, and only by group. make install does not randomly choose the ownership and permission of every file. There is a reason for why many files have their specific permissions and ownership.
As it is now if most of the courier processes run as uid courier and most of the binaries are owned by user courier what's to stop a compromised process from installing a back door to the system by modifying a binary owned by the same unprivileged user courier?
If your system is compromised, you are fscked anyway. My philosophy is to prevent the compromise in the first place, instead of accepting it as a fact of life, and bending over backwards trying to mitigate the damages.
On the plus side is that I'm already cleanly installing and deinstalling the package. I have a dialog configuration script like the one I addapted for postfix-current to select dependencies and options. And the package seems to conform to hier(7) at least as much as postfix does.
Oh yeah.. just to be clear I'm working on FreeBSD 4.4-STABLE porting Courier -0.35.1. I started with courier-0.35.1.20011014 but ran into some libtool problems.
Again - why are you messing around with libtool, or any dev tools if you are building out of the tarball? You're doing this wrong. The tarball has the correct configure script, has the correct Makefile.in, and includes the autoconf/automake/libtool/sysconftool macros necessary to build everything without requiring the dev tools to be installed.
-- Sam