the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
symmetry between installation from source and from binary package.
Annoate MESSAGE accordingly, so that those using apop can do it
themselves. Bump revision
- Thanks to taca@ and gavan@ for feedback and patch review
- This also enables experimental PAM support (on platforms that support it)
- Security fixes included
- From the ChangeLog:
> Changes from 4.0.7 to 4.0.8:
> ---------------------------
> 1. Fix compilation error on HPUX.
> 2. Fix some compilation warnings.
> 3. Update man page with '-x' option.
> 4. Fix problems with 'make install'
>
>
> Changes from 4.0.6 to 4.0.7:
> ---------------------------
> 1. Fix '-V' for standalone.
> 2. Include 'man' directory in tarball.
>
>
> Changes from 4.0.5 to 4.0.6:
> ----------------------------
> 1. Minor fixes for true64.
> 2. Patch from Uli Zappe to fix SCRAM compilation bugs.
> 3. Minor fixes for true64.
> 4. poppassd now runs smbpasswd as user, not root, to avoid exploit
> 5. Remove -traditional-cpp from the compiler options for Darwin
> builds (otherwise build fails)
> 6. Open stdout and stderr as O_WRONLY instead of O_RDONLY so that
> should anything actually be written to them it will show up
> 7. When configured as --with-pam and required,
> include <pam/pam_appl.h> instead of <security/pam_appl.h>
> (otherwise build fails)
> 8. strdup the pw.pw_name field from getpwnam so that it's still
> valid by the time genpath is called; also added corresponding
> free (without this fix when the bug manifests, clients are
> erroneously told there are 0 messages in the mail drop
> regardless of the actual number)
> 9. Add a pam bug workaround at the beginning of main to do a
> pam_start and pam_end immediately when the program starts up
> in order to avoid bogus authentication failed messages from
> pam_authenticate later (only when configured as --with-pam)
> [ Thanks to Kyle McKay for changes 5-9 ]
> 10. Fixed error in configure script for Mac OS / Darwin.
> 11. Support chained certs for OpenSSL [from Daniel Senie].
> 12. Fixes to compile better on Linux [from Daniel Senie].
> 13. X-UIDL header no longer written when Update_status_hdrs is false
> [thanks to Helge Oldach]
> 14. Now calling SSL_shutdown() again if it fails the first time.
> 15. Now logging TLS errors when compiled with debugging and debug is
> enabled (instead of either) [thanks to Maks N. Polunin].
> 16. Config file now always closed (not just on error).
> 17. When using pam, Kerberos tickets are now destroyed.
> Otherwise dead tickets accumulate in cache directory which runs
> out of space quickly on busy server. Problem noted by Rodney
> McDuff ITS UQ. (Directory permissions on ticket cache dir need
> to be 1777).
> 18. Always log "Servicing request" (instead of just when debugging is
> on). This allows start of pop sessions to be logged always which
> is useful for diagnosis of problems.
> 19. Worked around problem on some systems causing SIGALRM to be masked,
> leaving hung pop processes which should have timed out waiting
> for a command from the client.
> [ Thanks to David Shrimpton for changes 16-19 ]
> 20. Now defaulting to "EXPIRE NEVER" instead of "EXPIRE 0".
> 21. Fix core dump on 64-bit Solaris 2.8 [thanks to Kenny Nguyen]
> 22. Log facility set on command line now applies to daemon as well.
> [Thanks to Helge Oldach]
> 23. '-y' to set log facility on command line now works again.
> 24. Allow '-V' as synonym for '-v' (to see version).
> 25. Process user and spool config files as user, not as root (fix
> security hole reported by Jens Steube)
> 26. Added "xtnd_xmit" as a boolean option to permit/deny XTND XMIT
> and 'x' as a command-line option to disable it. You should
> disable it unless you really need it, and even then it is better
> to move to SMTP AUTH.
> 27. popauth now opens trace file as user, not root (fix security
> hole reported by Jens Steube); also umask now set.
> 28. Fix race crash on FreeBSD (thanks to Martin Haller).
> 29. Resolve some compiler warnings.
> 30. Fix check for libcrypt on FreeBSD.
> 31. Added sample pam configuration file (also installed by 'make
> install')
> 32. Use generic error msg and sleep in more auth failure cases.
> 33. Added code to use mkstemp() instead of our perfectly safe usage
> of tempnam() because some compilers issue overly broad warnings
> implying that all uses of tempnam() are unsafe. To bypass,
> use '--enable-tempnam' with ./configure.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
Changes from 4.0.4 to 4.0.5:
----------------------------
1. Add debug trace call with OpenSSL library version.
2. Added 'tls-options' configuration file option.
3. Added 'tls-workarounds' boolean option.
4. STLS errors (except for timeout) no longer fatal.
5. Added sample xinetd configuration file.
6. Additional checks for networking libraries.
7. Pick up LDFLAGS from environment, if set.
8. Added '--enable-32-bit' and '--enable-64-bit'
9. Applied patch from Jeremy Chadwick to fix pathname trimming in
standalone mode.
10. Fixed (non-root) buffer overflow.
11. Fixed '-no-mime' appended to user name (reported by Florian
Heinz).
12. Fixed response message when identical MDEFs defined multiple
times (reported by Florian Heinz).
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
- Remove extra rule line in install target. (It tried to do make on
password directory.)
- Solaris's /usr/ucb/install dosen't accept number with -g option.
* Pass the LDFLAGS through to the build process so that the final binaries
are built with the appropriate -Wl,-R flags. This should fix pkg/18054.
* Use ROOT_{USER,GROUP} instead of hardcoding "root" and "wheel" when
installing poppassd.
* Fixed DOS attack seen on some systems.
* Fixed "noop has null function" log entry.
* Allow '-p' to be used when APOP not defined (noted by Daniel Senie).
* Enforce ClearTextPassword even without APOP (noted by Daniel Senie).
* Restrict clear-text-password=never to APOP.
* Restrict clear-text-password=tls to QPOP_SSL.
* Fixed qpopper hanging on I/O error on some platforms.
Release note.
4.0
Supports TLS/SSL security.
'-p' option now has value '4' to permit plain-text passwords
under TLS/SSL.
Now uses a cache file to retain spool index across sessions.
This dramatically speeds up session start when no new mail has
arrived.
'-l' option added to specify TLS/SSL support.
Lots of TLS/SSL options added. See the Administrator's Guide
for details.
'-v' option added to report current version and exit.
'make install' added.
Lots of compile-time options now available at run-time. See
the Administrator's Guide for details.
Integrated poppassd into build.
And here is changes from 4.0.
Changes from 4.0.2 to 4.0.3:
----------------------------
1. Don't call SSL_shutdown unless we tried to negotiate an
SSL session. (As suggested by Kenneth Porter.)
2. Fix buffer overflow (reported by Gustavo Viscaino).
3. Fixed empty password treated as empty command (patch
submitted by Michael Smith and others).
4. Added patch by Carles Xavier Munyoz to fix erroneous
scanning for \n in getline().
5. Fix from Arvin Schnell for warnings on 64-bit systems.
6. Added patch by Clifton Royston to change error message
for nonauthfile and authfile tests.
7. Added 'uw-kludge' as synonym for 'uw-kluge'.
Changes from 4.0.1 to 4.0.2:
----------------------------
1. Added fix for XTND XMIT (sent in by Jacques Distler and
others).
2. Fixed makefile problems with poppassd compile and install
(sent in by Steven Champeon).
3. Increased maximum spool path length from 64 to 256.
4. Added more debug code when genpath() runs out of room.
5. Changed C++ style comments to C style in poppassd.c
6. Changed poppassd's UID check to be the same as Qpopper's
(which is that if BLOCK_UID is defined we use that value,
otherwise it defaults to 10).
7. Added poppassd expect strings for DEC True 64 (sent in by
Andres Henckens).
Changes from 4.0.1b1 to 4.0.1 (final):
--------------------------------------
1. Fixed typo in popper/pop_init.c if DONT_CHECK_HASH_SPOOL_DIR
defined.
Changes from 4.0 to 4.0.1b1:
----------------------------
1. Messages with lines longer than 512 characters are no longer
garbled when sent to the client.
2. Added patches from Michael C Tiernan to fix makefile problems.
any longer to 2.x.
NOTE: kerberos support is dropped, kerberos guru please re-do it...
from ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Release.Notes
Release Notes:
3.1
Can now set server mode and kerberos service name using
run-time options.
Can now specify plain-text password handling when APOP is
available using '-p 0|1|2|3' run-time option. 0 is default;
1 means clear text passwords are never permitted for any user;
2 means they are always permitted (even if an APOP entry exists),
which allows them to be used as a fallback when clients don't
support APOP); 3 means they are permitted on the local interface
(127.*.*.*) only.
Added '-D drac-host' run-time option to specify the drac host.
Only valid if compiled with --enable-drac. The default is
localhost.
Added '-f config-file' run-time option. Additional run-time
options are read from the specified file. All current run-time
options can now be set this way. See INSTALL file for option
names and syntax.
Added '-u' run-time option to read '.qpopper-options' file in
user's home directory.
Added Kerberos V support.
BULLDB access now uses usleep(3C) if available, resulting in
many more access attempts with a shorter maximum delay.
Added run-time options 'bulldb-nonfatal' (-B) and
'bulldb-max-retries' to allow fine control over BULLDB access
behavior. 'bulldb-nonfatal' allows a session to continue if
the bulletin database can't be locked. 'bulldb-max-retries'
sets the maximum number of attempts to lock the database. This
value should only be changed if you know if your system has
usleep(3C) or not. On systems with usleep(3C), this can be a
large value (the default is 75). On systems without usleep(3C),
this should remain small (the default is 10).
Added new ./configure flags (see INSTALL for more details):
--enable-timing to write log records with elapsed time for
authentication, initialization, and cleanup.
--enable-old-uidl to generates UIDs using old (pre-3.x)
style encoding. This is only useful if you also set
NO_STATUS and have existing users with old (pre-3.x)
spool files and you want to keep the UIDs the same.
--disable-status to prevent Qpopper from writing 'Status'
or 'X-UIDL' headers (sets NO_STATUS). This forces
UIDs for each message to be recalculated in each
session.
--enable-keep-temp-drop to prevents Qpopper from deleting
the temp drop files.
--disable-check-pw-max to prevent Qpopper from checking
for expired passwords.
--disable-old-spool-loc to not check for old .user.pop
files in old locations when HASH_SPOOL or HOMEDIRMAIL
used.
--disable-check-hash-dir to not check for or create hash
spool directories. Use this if you pre-create the
directories.
--enable-server-mode-group-include=group to set server
mode for users in the specified group.
--enable-server-mode-group-exclude=group to set server
mode OFF for users in the specified group.
--enable-secure-nis-plus for use with secure NIS+.
--disable-optimizations to turn off compiler optimizations.
--with-kerberos5 for Kerberos V support (using patch from
Ken Hornstein).
--enable-any-kerberos-principal to accept any principal in
the client request.
--enable-kuserok to use kuserok() to vet users.
--enable-ksockinst to use getsockinst() for Kerberos
instance.
--enable-standalone to create standalone POP daemon instead
of being run out of inetd. Can specify IP address
and/or port number to bind to as parameter 1, e.g.,
'popper 199.46.50.7:8110 -S' or 'popper 8110 -S -T600'.
If not specified, IP address defaults to all available.
The default port is 110 except when _DEBUG (not simply
DEBUG) is defined, then it is 8765.
--enable-auth-file=path to permit access only to users listed
in the specified file. Format is one user per line.
--enable-nonauth-file=path to deny access to users listed in
the specified file. Format is one user per line.
--disable-update-abort to avoid the default behavior of going
into update mode if the session aborts (the default
behavior violates of RFC 1939, but was found to be
needed when noisy dialup lines otherwise prevented users
from ever deleting messages).
([RCG])
3.0
Both dot-locking and flock() now used on all platforms. (On some
systems we emulate flock() using fcntl).
Added POP3 extensions(CAPA). The extensions added so far are
X-MANGLE, LOGIN-DELAY and EXPIRE.
X-MANGLE condenses Mime messages into a single part for ease of
use by lightweight clients. The transformations supported through
X-MANGLE are to and from text/plain, format=flowed, and text/html.
As a way to enable MIME-mangling with clients that do not
support XMANGLE, add "-no-mime" to the user name. For example,
if the userid is"mary", enter it in the client as "mary-no-mime".
The optional LOGIN-DELAY and EXPIRE values are only announced
through the CAPA command. The values to announce are passed as
command line switches. Actual enforcement of minimum login delay
and message expiration is up to the site by some other means.
(For example, a simple script run from crontab could be used for
message expiration.) Qpopper does support automatic deletion of
downloaded messages through the --enable-auto-delete configure
flag. This can be used to effect EXPIRE 0 (no retention).
Added new run-time options: -R to disable reverse-lookups on client
IP addresses; -c to downcase user name.
A failure at some point in a transaction now releases all locks
explicitly. Certain paths do not release locks where SysV .lock files
are created.
Fixed bugs with Bulletin Services and Server mode.
DEBUGn macros for debug and trace messages.
Added new ./configure flags (see INSTALL for more details):
--with-warnings for extra compiler warnings.
--enable-shy to hide qpopper's version number in the
banner and CAPA IMPLEMENTATION tag.
--enable-auto-delete to automatically mark for deletion
all messages downloaded with RETR.
--enable-hash-spool=1|2 to use hashed spool directories.
--enable-home-dir-mail=file to use a spool file in the
user's home directory.
--enable-bulldb=path to enable bulletins and set the path
for the bulletin directory.
--with-new-bulls=number to specify the maximum number
of bulletins for new users (default is 10).
--enable-popbulldir=path to specify an alternate location
for users' popbull files.
--enable-log-login to log successful user logins. This
can be used, for example, to validate subsequent
SMTP sessions from the same IP address within a
short time period, in the absence of SMTP AUTH
support by client and server. (Suggested by Andy
Harper et al).
--with-pam=service-name to authenticate using PAM (based
on patch contributed by German Poo).
--with-log-facility=name to specify the log facility.
Default is LOG_LOCAL1 or LOG_MAIL, depending on the
OS.
--enable-uw-kludge to check for and hide a UW IMAP status
message.
--enable-group-bulls to show bulletins by groups (group
name is second element in bulletin name). Based on
patch by Mikolaj Rydzewski.
--enable-timing to report timing information in the log.
--enable-drac to use DRAC. Based on patches by Mike
McHenry, Forrest Aldrich, Steven Champeon, and others.
Added file popper/banner.h -- modify this file to add a custom
banner and CAPA IMPLEMENTATION tag suffix. Note that if you modify
qpopper you should indicate this using banner.h.
Improved error messages and warnings: warning "Unable to get
canonical name of client" now includes IP address of client; logging
added for I/O errors and discarded input (line too long); added errno
to POP EOF -ERR message; "Possible probe of account" warning now logged
as WARNING, not CRITICAL.
RESTRICTED= variables that were predicated on former U.S. export
regulations. Add CRYPTO=, as necessary, so it's still possible to
exclude all crypto packages from a build by setting MKCRYPTO=no
(but "lintpkgsrc -R" will no longer catch them).
Specifically,
- - All packages which set USE_SSL just lose their RESTRICTED
variable, since MKCRYPTO responds to USE_SSL directly.
- - realplayer7 and ns-flash keep their RESTRICTED, which is based
on license terms, but also gain the CRYPTO variable.
- - srp-client is now marked broken, since the distfile is evidently
no longer available. On this, we're no worse off than before.
[We haven't been mirroring the distfile, or testing the build!]
- - isakmpd gets CRYPTO for RESTRICTED, but remains broken.
- - crack loses all restrictions, as it does not evidently empower
a user to utilize strong encryption (working definition: ability
to encode a message that requires a secret key plus big number
arithmetic to decode).
