Hi, I just uploaded 2.9.3-1. (CCed recent uploaders)
On Fri, Mar 24, 2017 at 04:40:28PM +0100, Markus Wanner wrote: > Control: block 822683 by 818377 > > Hi, > > I've recently migrated my Courier MTA setup to stretch and had to go > through a few hoops to get it to work, again. > > An important aspect was the courier-maildrop dump. With the packager's > hat on, I'm also all for the drop and don't want to re-duplicate > sources. This however means I'd like maildrop to handle the courier use > case. > > The good news is: my virtual mail delivery setup via maildrop works if > only I enable HAVE_COURIER for my custom-built maildrop package. > > Reading the sources, it doesn't seem feasible to just enable > HAVE_COURIER for the general maildrop build, though. So I'd like to > discuss some options that spring to mind: Yes. Excuse me for slow response. > * change HAVE_COURIER into a dynamic flag: this might well have > security implications that I'm unaware of. Note, however, that > the courier-maildrop was SUID on root, while maildrop only has > the SGID bit set for group 'mail'. So courier-maildrop was *more* > of a security risk, not less. That is my understanding too. > This could (or should?) possibly be extended by some mechanism that > automatically detects whether or not courier is calling the maildrop > executable. Extended (or different) behaviour could be prohibited > for a non-courier caller. I am afraid such package is labeled with "security bug" again. That was the reason Debian maildrop split from courier-maildrop. > * build two different binaries from the maildrop source, one as it > is, the other with HAVE_COURIER enabled. This is one way. Hmmm.... this seems quite simple to do. > Are there other options? I'm certainly willing to help and hope to find > a solution for stretch that fixes the courier use case. Another option is create another wrapper code such as maildrop-suid-root which is a SUID on root program and let it calls maildrop in upstream. And make courier call this new code. This needs upstream cooperation. I don't want to maintain any SUID root program. Too much responsibility. If you are willing to take over this package maintenance, I can help 2 binary package script. Regards, Osamu
