Month: June 2005

Hi !

I’ve been using part of the ciaranm‘s bashrc (most of the Gentoo-related functions) and though it’s great I thought that something was missing. I needed something to extrackt the depend atoms on a package. I played a bit with sed and finally wrote something useful:

edeps() { 
    local FILES e
    
    if [ ! -z "${1}" ] ; then
        FILES=$(equery which ${1})
    else
        FILES=$(ls *.ebuild)
    fi  
    
    for e in ${FILES};
    do
        echo -ne "\033[01;32m * \033[00m"
        echo -n "Depend atoms on: "
        echo -e "\033[01;38m${e##*/}\033[00m"
        echo
        sed -ne '/^[RP]\?DEPEND=\"[^\"]*$/,/^.*\" *$/p' \
            -e '/^[RP]\?DEPEND=\"[^\"]*\"$/p' ${e}
        echo
    done
}

PD: BTW this is my very first post on the Gentoo Planet. I hope you’ll forgive my language mistakes since english is not my mother tongue. (I’m spanish).

The last few days we’ve been having a bit of discussion in #-netmail about uw apps. They display a *really* bogus message if the mail spool directory (/var/spool/mail) is not protected with 1777 (*sigh*):

Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Of course mailbase creates /var/spool/mail and sets 0775 on it. Thats a real protection since it prevents someone from doing:

for i in /var/spool/mail/* ; do touch ${i}.lock; done

and mess the mail system.

Quoting from the UW IMAP FAQ:

Directory protection 1777 is secure enough on most well-managed systems. If you can’t trust your users with a 1777 mail spool (petty harassment is about the limit of the abuse exposure), then you have much worse problems then that.

It sounds ridiculous to me. I think we will finally adopt the workaround in https://bugzilla.redhat.com/beta/show_bug.cgi?id=103479#c8 or probably patch the sources to remove that annoying message.

I wonder how 1777 on the mail spool directory should be used for security reasons (*sigh*) Maybe someone will explain it to me…

Any ideas on how to solve this ?

Cheers,
Ferdy

Spanish translations for per-category metadata.xml files are almost finished. araujo is doing: dev-* media-* app-* and x11-*. And I just commited the rest: games-* gnome-* gnustep-* kde-* net-* mail-* rox-* sci-* sys-* www-* xfce-* and sec-policy.

It’s been boring… but anyway, we did it hehe

It took me like 1 hour to update, check, translate, check and commit around 70 files… but feels like a wasted hour 🙁 At least I hope it will get integrated in packages.g.o

PD: Hey ! bugs.g.o is now ssl enabled, now I can access bugzilla in networks I don’t trust (i.e university, work, … all of them but mines i think :P). So infra++

Cheers,
Ferdy

Hi all !

New mailbase version (net-mail/mailbase-0.00-r9 ~arch) will not change your /var/spool/mail/ permissions anymore.

Anyway since some net-mail devs think that the only right permissions in /var/spool/mail/ are 0775. If you set something different, mailbase will not overwrite them, but it will show you a nice warning:

  * Your /var/spool/mail/ directory permissions differ from
  *  those which mailbase set when you first installed it (0775).
  *  If you did not change them on purpose, consider running:
  *
       chmod 0775 /var/spool/mail/

Think that we have good reasons to think 1777 is harmful… do not take the easy way by setting 1777 on /var/spool/mail/; better fix your MTA or switch to Maildir/ (the latter is a much better idea by the way).

Cheers,
Ferdy

As slarti announced a few days ago, mailer-config is on its way to ~arch.

We have commited several packages using the new scheme. This is a package.mask excerpt:

# mask these until the new mailwrapper/mailer-config scheme is ready
# it is secure to unmask them to test
net-mail/mailer-config
=net-mail/mailwrapper-0.2.1-r1
=mail-mta/nbsmtp-0.98-r1
=mail-mta/msmtp-1.4.0-r1
=mail-mta/ssmtp-2.61-r1
=mail-mta/esmtp-0.5.0-r2

It is safe to unmask them to start testing. The *big* mailers to come soon; I’m currently working on postfix and I’ll probably have it by tonight or tomorrow.

A few ‘shots’ to show it working:

posidon root # mailer-config -l
[1] default *
[2] esmtp-0.5.0
[3] nbsmtp-0.98
[4] ssmtp-2.61
posidon root # mailer-config -s 2
 * New default profile is: esmtp-0.5.0
posidon root # mailq
Mail queue is empty
posidon root # mailer-config -s 3
 * New default profile is: nbsmtp-0.98
posidon root # mailq
Showing queued mails in /root/.nbsmtp/.queue:

posidon root # mailer-config -s 4
 * New default profile is: ssmtp-2.61
posidon root # mailq
mailq: Mail queue is empty
posidon root # mailer-config -s 3
 * New default profile is: nbsmtp-0.98
posidon root # mailer-config -l  
[1] default
[2] esmtp-0.5.0
[3] nbsmtp-0.98 *
[4] ssmtp-2.61
posidon root # 

As you can see, three completely different behaviors of mailq, each one depending on which mailer profile you are using. This is great stuff ! We would like to hear your opinion about it.

Cheers,
Ferdy

Hi !

All of you suffering from a ‘virus attack’ on your g.o accounts and not using an insane mail filtering engine might like this.

in .mailfilter:

exception {
        xfilter "/usr/bin/spamc"
        xfilter "/usr/bin/clamassassin"
}

if ( /^X-Spam-Status: .*Yes,/ )
{
        to ".maildir/.spam"
}

if ( /^X-Virus-Status: .*Yes/ )
{
        to "/dev/null"
}

in .forward:

|/usr/bin/maildrop -d ferdy

Thanks infra for letting us use clamassassin… I desperately needed it. Now my INBOX is much cleaner.

Cheers,
Ferdy