[PATCH] BUG12403: Fix permissions of DMA configfile

[PATCH] BUG12403: Fix permissions of DMA configfile

[Alexander Marx]

[-- Attachment #1: Type: text/plain, Size: 931 bytes --]

From: Alexander Marx <amarx(a)ipfire.org>

Change read permissions of dma configfile so other users are able to read it.
Needed for Addons like WIO to send Mails.

FIXES: #12403
---
 lfs/dma | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lfs/dma b/lfs/dma
index aceb2704e..6b5d9bfbf 100644
--- a/lfs/dma
+++ b/lfs/dma
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 0.12
+VER        = 0.13
 
 THISAPP    = dma-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -80,6 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
 	chown -R nobody.nobody /var/ipfire/dma
 	chown nobody.root /var/ipfire/dma/auth.conf
+	chmod 644 /var/ipfire/dma/auth.conf
 	ln -svf dma /usr/sbin/sendmail.dma
 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
 	@rm -rf $(DIR_APP)
-- 
2.17.1

Re: [PATCH] BUG12403: Fix permissions of DMA configfile

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1554 bytes --]

Hello,

> On 9 May 2020, at 07:06, Alexander Marx <alexander.marx(a)ipfire.org> wrote:
> 
> From: Alexander Marx <amarx(a)ipfire.org>

Your Git is set up with a different email address for commits than what you are using for email. Is this intentional?

> Change read permissions of dma configfile so other users are able to read it.
> Needed for Addons like WIO to send Mails.

I am not sure if this patch is a good idea. We will make the credentials readable for everyone.

What would probably work better is a group called “mail” which nobody and wio will be a member of so that they can read the configuration file. Others still won’t be able to read it.

What do you think about this solution?

Best,
-Michael

> 
> FIXES: #12403
> ---
> lfs/dma | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lfs/dma b/lfs/dma
> index aceb2704e..6b5d9bfbf 100644
> --- a/lfs/dma
> +++ b/lfs/dma
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 0.12
> +VER        = 0.13
> 
> THISAPP    = dma-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -80,6 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
> 	chown -R nobody.nobody /var/ipfire/dma
> 	chown nobody.root /var/ipfire/dma/auth.conf
> +	chmod 644 /var/ipfire/dma/auth.conf
> 	ln -svf dma /usr/sbin/sendmail.dma
> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
> 	@rm -rf $(DIR_APP)
> -- 
> 2.17.1
> 

Re: [PATCH] BUG12403: Fix permissions of DMA configfile

[Alexander Marx]

[-- Attachment #1: Type: text/plain, Size: 2367 bytes --]



Am 11.05.20 um 10:35 schrieb Michael Tremer:
> Hello,
>
>> On 9 May 2020, at 07:06, Alexander Marx <alexander.marx(a)ipfire.org> wrote:
>>
>> From: Alexander Marx <amarx(a)ipfire.org>
> Your Git is set up with a different email address for commits than what you are using for email. Is this intentional?
There were some confusions when i set up the accounts in the beginning....

>> Change read permissions of dma configfile so other users are able to read it.
>> Needed for Addons like WIO to send Mails.
> I am not sure if this patch is a good idea. We will make the credentials readable for everyone.
>
> What would probably work better is a group called “mail” which nobody and wio will be a member of so that they can read the configuration file. Others still won’t be able to read it.
>
> What do you think about this solution?
>
> Best,
> -Michael
Well, it's a bit more complex. The next thing i am working on with 
Stephan will be the APCUPSD with a nice webinterface. To make things 
round we are thinking of putting the apcupd and website together in one 
addon. But the apcupsd has a complete different user (apcups) and maybe 
there will be other tools and services with own usernames that also 
could use the mailaddon.
Therefor a general readpermission would be a good solution.

In case of apcups we would otherwise be forced to put the apcups user 
into the mailgroup.

Anyway, if this is not the solution, please delete the patch and we try 
to find another solution.
Alex

>> FIXES: #12403
>> ---
>> lfs/dma | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/lfs/dma b/lfs/dma
>> index aceb2704e..6b5d9bfbf 100644
>> --- a/lfs/dma
>> +++ b/lfs/dma
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER        = 0.12
>> +VER        = 0.13
>>
>> THISAPP    = dma-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -80,6 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
>> 	chown -R nobody.nobody /var/ipfire/dma
>> 	chown nobody.root /var/ipfire/dma/auth.conf
>> +	chmod 644 /var/ipfire/dma/auth.conf
>> 	ln -svf dma /usr/sbin/sendmail.dma
>> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
>> 	@rm -rf $(DIR_APP)
>> -- 
>> 2.17.1
>>

Re: [PATCH] BUG12403: Fix permissions of DMA configfile

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2807 bytes --]

Hello,

> On 11 May 2020, at 10:02, Alexander Marx <alexander.marx(a)ipfire.org> wrote:
> 
> 
> 
> Am 11.05.20 um 10:35 schrieb Michael Tremer:
>> Hello,
>> 
>>> On 9 May 2020, at 07:06, Alexander Marx <alexander.marx(a)ipfire.org> wrote:
>>> 
>>> From: Alexander Marx <amarx(a)ipfire.org>
>> Your Git is set up with a different email address for commits than what you are using for email. Is this intentional?
> There were some confusions when i set up the accounts in the beginning....
> 
>>> Change read permissions of dma configfile so other users are able to read it.
>>> Needed for Addons like WIO to send Mails.
>> I am not sure if this patch is a good idea. We will make the credentials readable for everyone.
>> 
>> What would probably work better is a group called “mail” which nobody and wio will be a member of so that they can read the configuration file. Others still won’t be able to read it.
>> 
>> What do you think about this solution?
>> 
>> Best,
>> -Michael
> Well, it's a bit more complex. The next thing i am working on with Stephan will be the APCUPSD with a nice webinterface. To make things round we are thinking of putting the apcupd and website together in one addon. But the apcupsd has a complete different user (apcups) and maybe there will be other tools and services with own usernames that also could use the mailaddon.

Yes, but that is great. We can simply add more users to the group when we need to. That will still keep the file’s contents safe.

> Therefor a general readpermission would be a good solution.

I get that this is the easiest one, but not a good one.

> In case of apcups we would otherwise be forced to put the apcups user into the mailgroup.

Yes. That is a one-liner:

  usermod -a -G mail apcupsd

> Anyway, if this is not the solution, please delete the patch and we try to find another solution.

Best,
-Michael

> Alex
> 
>>> FIXES: #12403
>>> ---
>>> lfs/dma | 3 ++-
>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/lfs/dma b/lfs/dma
>>> index aceb2704e..6b5d9bfbf 100644
>>> --- a/lfs/dma
>>> +++ b/lfs/dma
>>> @@ -24,7 +24,7 @@
>>> 
>>> include Config
>>> 
>>> -VER        = 0.12
>>> +VER        = 0.13
>>> 
>>> THISAPP    = dma-$(VER)
>>> DL_FILE    = $(THISAPP).tar.gz
>>> @@ -80,6 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> 	install -v -m 755 $(DIR_SRC)/config/dma/dma-cleanup-spool /usr/sbin
>>> 	chown -R nobody.nobody /var/ipfire/dma
>>> 	chown nobody.root /var/ipfire/dma/auth.conf
>>> +	chmod 644 /var/ipfire/dma/auth.conf
>>> 	ln -svf dma /usr/sbin/sendmail.dma
>>> 	/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20
>>> 	@rm -rf $(DIR_APP)
>>> -- 
>>> 2.17.1
>>> 
>