From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: sendEmail-1.56-1 Date: Wed, 06 Feb 2019 11:13:14 +0000 Message-ID: <034C7493-33F3-4F53-BA30-02B1EEAA2462@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8571061687340813916==" List-Id: --===============8571061687340813916== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Thanks for sending the patch. I agree that 503.tape is incorrect, but would say that sendEmail should be ow= ned by root.root and have 755 as permissions. Why does the script need to become root when it is being executed by nobody? = I think that is a security risk. -Michael > On 2 Feb 2019, at 18:47, Bob Brewer wrote: >=20 > I installed the sendEmail addon with pakfire which installs=20 > /usr/local/bin/sendEmail OK but I think it has incorrect owners and=20 > permissions. >=20 > As installed it has: > -rwxr-xr-x 1 503 tape 80215 Dec 6 2012 sendEmail >=20 > which I think should be: > -rwsr-x--- 1 root nobody 80215 Dec 6 2012 sendEmail >=20 > This patch to lfs/sendEmail should correct it >=20 > diff -u lfs/sendEmail lfs/sendEmail.1=20 > --- lfs/sendEmail 2019-01-20 10:07:56.128391962 +0000 > +++ lfs/sendEmail.1 2019-02-02 18:08:58.823295469 +0000 > @@ -63,7 +63,8 @@ > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && cp -pvf sendEmail /usr/local/bin > - chmod 755 /usr/local/bin/sendEmail > + chown root.nobody /usr/local/bin/sendEmail > + chmod 04750 /usr/local/bin/sendEmail > @rm -rf $(DIR_APP) > @$(POSTBUILD) >=20 > HTH >=20 > Rob >=20 --===============8571061687340813916==--