Hi,
Thanks for sending the patch.
I agree that 503.tape is incorrect, but would say that sendEmail should be owned by root.root and have 755 as permissions.
Why does the script need to become root when it is being executed by nobody? I think that is a security risk.
-Michael
On 2 Feb 2019, at 18:47, Bob Brewer ipfire-devel@grantura.co.uk wrote:
I installed the sendEmail addon with pakfire which installs /usr/local/bin/sendEmail OK but I think it has incorrect owners and permissions.
As installed it has: -rwxr-xr-x 1 503 tape 80215 Dec 6 2012 sendEmail
which I think should be: -rwsr-x--- 1 root nobody 80215 Dec 6 2012 sendEmail
This patch to lfs/sendEmail should correct it
diff -u lfs/sendEmail lfs/sendEmail.1 --- lfs/sendEmail 2019-01-20 10:07:56.128391962 +0000 +++ lfs/sendEmail.1 2019-02-02 18:08:58.823295469 +0000 @@ -63,7 +63,8 @@ @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && cp -pvf sendEmail /usr/local/bin
chmod 755 /usr/local/bin/sendEmail
chown root.nobody /usr/local/bin/sendEmail
chmod 04750 /usr/local/bin/sendEmail @rm -rf $(DIR_APP) @$(POSTBUILD)
HTH
Rob