[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#201234: ITP: esmtp -- User configurable relay-only MTA

José Fonseca <j_r_fonseca@yahoo.co.uk> wrote:
> In article <9hl6.1tR.7@gated-at.bofh.it>, Andreas Metzler wrote:
>> * Debconf.
>> If you used single-quotes you should be able to  _parse_ this file
>> (*basically* just source everthing up to the first "identity" tag
>> after doublechecking quoting and format) in your postinst and do proper
>> configuration file handling as described in the debconf-devel manpage,
> Ok. I'll try do as suggested. Do you happen to remeber another debian
> package which does that that I can refer to?

The debconf-devel manpage has an perfectly fitting example for
managing a simple shell-style configuration-file.

Sanitizing can be done with sed to a temporary file which is sourced

sed -e '/^[[:space:]]*identity/,$d' -e '/^[[:space:]]*#/d' \
  -e '/^[[:space:]]*$/d' -e 's/^[[:space:]]*//' \
  -e 's/\(^[^[:space:]=]*\)[[:space:]]*=/\1=' \
  -e "s/=[[:space:]]*[\"']\?/='/"  -e "s/[\"']\?[[:space:]]*$/'/" 

Yuck. Looks error-prone.

>> /etc/esmtprc should not be publically readable per default.

> Well this is a very tricky issue. Esmtp is not installed setuid nor will
> I ever dare to - it's just a too big security.
>  "Do not set passwords on the system configuration file unless you are
>  the sole user of that machine. Esmtp is not run with suid privileges
>  therefore the system configuration file must be readable by everyone."

> That is, the user should set the personal ~/.esmtprc with his personal
> SMTP account(s) details.

> So, does this mean I should add this warning to the template, or should
> I remove the username/password input alltogether?

I'd add a warning.
        cu andreas

Reply to: