Bug#1002527: milter-greylist -u user does not correctly ensure user can update greylist.db

To: 1002527@bugs.debian.org
Subject: Bug#1002527: milter-greylist -u user does not correctly ensure user can update greylist.db
From: Amin Bandali <bandali@gnu.org>
Date: Tue, 24 Oct 2023 21:50:36 -0400
Message-id: <[🔎] 87il6vtqqb.fsf_-_@gnu.org>
Reply-to: Amin Bandali <bandali@gnu.org>, 1002527@bugs.debian.org
In-reply-to: <[🔎] 878r86qci9.fsf@gnu.org>
References: <YxHjgt4Sd6HnBuwC@colwyn.zhadum.org.uk> <[🔎] 878r86qci9.fsf@gnu.org> <164028672449.18087.10155497860786534093.reportbug@basil.wdw>

Control: severity -1 important
Control: tags -1 pending
X-Debbugs-CC: tobi@debian.org, mrvn@renich.org, bunk@debian.org, tron@zhadum.org.uk

Hi again folks,

Per suggestion from Tobi, I'm reducing the severity of this bug from
'critical' (RC) to 'important', since the default configuration works
fine out of the box on a Debian system (with systemd).

Thanks to Tobi adding me to the ACL for salsa:debian/milter-greylist,
I went ahead and pushed my proposed change to the repo, also attached
as a patch for your convenience.

https://salsa.debian.org/debian/milter-greylist/-/commit/d118c24c45674fe8ae75ae965555b318a4cb1320

Tobi, if there are still no objections in the coming days, I'd
appreciate it if you'd please sponsor this to unstable for me.

Thanks,
-a

>From d118c24c45674fe8ae75ae965555b318a4cb1320 Mon Sep 17 00:00:00 2001
From: Amin Bandali <bandali@gnu.org>
Date: Tue, 24 Oct 2023 19:54:36 -0400
Subject: [PATCH] Set user greylist in greylist.conf instead of
 milter-greylist.service

---
 debian/changelog               | 11 +++++++++++
 debian/milter-greylist.service |  2 +-
 debian/patches/conf-dumpfreq   |  6 +++---
 debian/patches/greylist.conf   | 19 ++++++++++++-------
 4 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 32f3de6..8832c9a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+milter-greylist (4.6.4-3) UNRELEASED; urgency=medium
+
+  * QA upload.
+  * Set user greylist in the configuration file rather than as a
+    command-line option in the service file (which always takes
+    precedence) to allow easier customization. (Closes: #1002527)
+    - debian/milter-greylist.service
+    - debian/patches/greylist.conf
+
+ -- Amin Bandali <bandali@gnu.org>  Tue, 24 Oct 2023 19:49:53 -0400
+
 milter-greylist (4.6.4-2) unstable; urgency=medium
 
   [ Ondřej Surý ]
diff --git a/debian/milter-greylist.service b/debian/milter-greylist.service
index b5a6e80..bcef86f 100644
--- a/debian/milter-greylist.service
+++ b/debian/milter-greylist.service
@@ -5,7 +5,7 @@ Before=postfix.service
 
 [Service]
 Type=forking
-ExecStart=/usr/sbin/milter-greylist -u greylist
+ExecStart=/usr/sbin/milter-greylist
 Restart=on-failure
 PrivateTmp=true
 
diff --git a/debian/patches/conf-dumpfreq b/debian/patches/conf-dumpfreq
index 5400f40..a0de3db 100644
--- a/debian/patches/conf-dumpfreq
+++ b/debian/patches/conf-dumpfreq
@@ -8,11 +8,11 @@ Index: milter-greylist-4.3.5/greylist.conf
 --- milter-greylist-4.3.5.orig/greylist.conf	2010-03-15 14:48:16.000000000 +0000
 +++ milter-greylist-4.3.5/greylist.conf	2010-03-15 14:48:48.732009554 +0000
 @@ -7,7 +7,7 @@
- 
  pidfile "/var/run/milter-greylist.pid"
+ socket "/var/run/milter-greylist/milter-greylist.sock"
  dumpfile "/var/lib/milter-greylist/greylist.db" 600
 -dumpfreq 1
 +dumpfreq 10m
+ user "greylist"
  
- # For sendmail use the following two lines
- socket "/var/run/milter-greylist/milter-greylist.sock"
+ # If using Postfix rather than Sendmail, uncomment the following
diff --git a/debian/patches/greylist.conf b/debian/patches/greylist.conf
index 6e1d33d..216aae9 100644
--- a/debian/patches/greylist.conf
+++ b/debian/patches/greylist.conf
@@ -8,23 +8,28 @@ Index: milter-greylist-4.5.11/greylist.conf
 ===================================================================
 --- milter-greylist-4.5.11.orig/greylist.conf	2014-07-30 09:29:48.543484591 +0100
 +++ milter-greylist-4.5.11/greylist.conf	2014-07-30 09:29:48.539484522 +0100
-@@ -6,11 +6,17 @@
+@@ -6,11 +6,21 @@
  #
  
  pidfile "/var/run/milter-greylist.pid"
 -socket "/var/milter-greylist/milter-greylist.sock"
 -dumpfile "/var/milter-greylist/greylist.db" 600
++socket "/var/run/milter-greylist/milter-greylist.sock"
 +dumpfile "/var/lib/milter-greylist/greylist.db" 600
  dumpfreq 1
-+
-+# For sendmail use the following two lines
-+socket "/var/run/milter-greylist/milter-greylist.sock"
- user "smmsp"
+-user "smmsp"
++user "greylist"
  
-+# For Postfix uncomment the following two lines and comment out the
-+# sendmail ones above.
++# If using Postfix rather than Sendmail, uncomment the following
++# socket and user settings and comment out the socket and user above.
 +#socket "/var/run/milter-greylist/milter-greylist.sock" 660
 +#user "postfix"
++
++# If using a chrooted Postfix, you might want to use something like
++# the following instead (where "/var/spool/postfix" is the Postfix
++# chroot):
++#socket "/var/spool/postfix/milter-greylist/milter-greylist.sock" 660
++#user "greylist:postfix"
  
  # Log milter-greylist activity to a file
  #stat ">>/var/milter-greylist/greylist.log" \
-- 
2.39.2

Reply to:

References:
- Bug#1002527: "milter-greylist -u user" considered harmful
  - From: Amin Bandali <bandali@gnu.org>

Prev by Date: Processed: Re: milter-greylist -u user does not correctly ensure user can update greylist.db
Next by Date: Bug#1014612: docbook-xml and docbook-xsl failed to update their catalogs in /etc/xml when interrupted
Previous by thread: Bug#1002527: "milter-greylist -u user" considered harmful
Next by thread: Processed: Re: milter-greylist -u user does not correctly ensure user can update greylist.db
Index(es):
- Date
- Thread