Re: 2.8.0 and newly strict checking

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 6 Mar 2013 09:56:46 -0800 (PST)

On Wed, 6 Mar 2013, Doug Barton wrote:
> I'm starting it with -u, which seems to be the issue. I couldn't get it to
> fail with the group problem again, however when I changed the ownership of
> the file to opendkim, I get this from your patch:

I think this is the actual bug. When the filter is started with "-u", the
file access check is not done with the target user in mind, so it assumes
opendkim will run as root, discovers the key is not owned by root, and the
"foreign owner" case hits. If you change your config file to add "UserID
opendkim", I bet it works fine.

> In any case, thanks for your help. If I may, something like what you
> sent me, perhaps hidden under a debug flag, would be a useful addition
> to the base. While I applaud the desire to make the thing more secure
> I'm not exactly new to system administration and I still managed to foul
> it up pretty royally. :)

Thanks, I'll look into adding a mechanism to do this.

The first issue is being tracked as bug #3607072, and the second as
#3607071. You can subscribe to updates to the bugs through SourceForge if
you like.

-MSK
Received on Wed Mar 06 2013 - 17:57:06 PST

This archive was generated by hypermail 2.3.0 : Wed Mar 06 2013 - 18:00:01 PST