On 08/31/2017 04:42 PM, Dianne Skoll wrote: > Hi, > > This is a much more extensive patch, but I believe it does finally > close the hole if you keep your PID files in a root-owned directory. > > Please test this; I plan on releasing 2.81 tomorrow. >
I applied the patch and updated the Gentoo init script with the new -p and -o changes, and now everything looks good. The two PID files are located directly in /run and owned by root:root, while the two lock files live in the spool directory and are owned by defang:defang. The daemon starts/stops without issue. Thanks once more for your help with this. I'll ask for a CVE assignment in a moment, and then wait until the new version is released before making an announcement for the distros. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
