[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#201234: ITP: esmtp -- User configurable relay-only MTA

On Tue, 15 Jul 2003 14:57:29 +0200, Andreas Metzler wrote:
> José Fonseca <j_r_fonseca@yahoo.co.uk> wrote:
>> Ok. I'll try do as suggested. Do you happen to remeber another debian
>> package which does that that I can refer to?
> The debconf-devel manpage has an perfectly fitting example for
> managing a simple shell-style configuration-file.
> Sanitizing can be done with sed to a temporary file which is sourced
> afterwards.
> sed -e '/^[[:space:]]*identity/,$d' -e '/^[[:space:]]*#/d' \
>   -e '/^[[:space:]]*$/d' -e 's/^[[:space:]]*//' \
>   -e 's/\(^[^[:space:]=]*\)[[:space:]]*=/\1=' \
>   -e "s/=[[:space:]]*[\"']\?/='/"  -e "s/[\"']\?[[:space:]]*$/'/" 
> Yuck. Looks error-prone.

Thanks for the tip but after loosing more than an hour around this I've
come to the conclusion that this is simply not worth the trouble. The
are always difficult corner cases too dificult to cope with regular
expression as they start to grow to a insane size. The reason I chose
to use a flex/bison generated parser was exactly to avoid these kind of issues and 
it seems counterproductive reiventing the wheel now for a packaging

And If the config script can't completly parse the configuration file
then I'd rather not give the false impression to the users that it does,
therefore avoiding myself alot of troubles afterwards, when they start
complaining about that...

Sorry but no.

>>> /etc/esmtprc should not be publically readable per default.
>> Well this is a very tricky issue. Esmtp is not installed setuid nor will
>> I ever dare to - it's just a too big security.
> [...]
>>  "Do not set passwords on the system configuration file unless you are
>>  the sole user of that machine. Esmtp is not run with suid privileges
>>  therefore the system configuration file must be readable by everyone."
>> That is, the user should set the personal ~/.esmtprc with his personal
>> SMTP account(s) details.
>> So, does this mean I should add this warning to the template, or should
>> I remove the username/password input alltogether?
> I'd add a warning.

I've done the necessary changes and uploaded everything to the same
place <http://jrfonseca.dyndns.org/debian/>.  I also added the detection
of the default MDA to the config script.

Unless there are any further corrections I'll be ready to have this
package uploaded.

José Fonseca

Reply to: