Re: Bug#201234: ITP: esmtp -- User configurable relay-only MTA
José Fonseca <email@example.com> wrote:
> In article <9hl6.1tR.firstname.lastname@example.org>, Andreas Metzler wrote:
>> * Debconf.
>> If you used single-quotes you should be able to _parse_ this file
>> (*basically* just source everthing up to the first "identity" tag
>> after doublechecking quoting and format) in your postinst and do proper
>> configuration file handling as described in the debconf-devel manpage,
> Ok. I'll try do as suggested. Do you happen to remeber another debian
> package which does that that I can refer to?
The debconf-devel manpage has an perfectly fitting example for
managing a simple shell-style configuration-file.
Sanitizing can be done with sed to a temporary file which is sourced
sed -e '/^[[:space:]]*identity/,$d' -e '/^[[:space:]]*#/d' \
-e '/^[[:space:]]*$/d' -e 's/^[[:space:]]*//' \
-e 's/\(^[^[:space:]=]*\)[[:space:]]*=/\1=' \
-e "s/=[[:space:]]*[\"']\?/='/" -e "s/[\"']\?[[:space:]]*$/'/"
Yuck. Looks error-prone.
>> /etc/esmtprc should not be publically readable per default.
> Well this is a very tricky issue. Esmtp is not installed setuid nor will
> I ever dare to - it's just a too big security.
> "Do not set passwords on the system configuration file unless you are
> the sole user of that machine. Esmtp is not run with suid privileges
> therefore the system configuration file must be readable by everyone."
> That is, the user should set the personal ~/.esmtprc with his personal
> SMTP account(s) details.
> So, does this mean I should add this warning to the template, or should
> I remove the username/password input alltogether?
I'd add a warning.