On Thu, May 08, 2008, Alain Spineux wrote:
> On Thu, May 8, 2008 at 4:33 PM, Ralf S. Engelschall <[EMAIL PROTECTED]> wrote:
> > On Thu, May 08, 2008, Alain Spineux wrote:
> >
> > > > I found this too, this solve the chown(), but not the bind() !
> > > > For the bind I simply did a
> > > > # chmod g+w /kolab/var/bind
> > > >
> > > > Then only two small thing tho change until the BIND developer team
> > react :-)
> > >
> > > I didn't get any answer from bind's Team until now, except the ACK.
> > > Do you plan to fix this in you package ?
> > >
> >
> > > > > Index: bin/named/unix/os.c
> > > > > --- bin/named/unix/os.c.orig 2006-02-04 00:51:38 +0100
> > > > > +++ bin/named/unix/os.c 2008-05-02 17:25:33 +0200
> > > > > @@ -212,6 +212,11 @@
> > > > > caps |= (1 << CAP_SETGID);
> > > > >
> > > > > /*
> > > > > + * Since we call chown, we need this.
> > > > > + */
> > > > > + caps |= (1 << CAP_CHOWN);
> > > > > +
> > > > > + /*
> > > > > * Without this, we run into problems reading a
> > configuration file
> > > > > * owned by a non-root user and non-world-readable on
> > startup.
> > > > > */
> >
> > I thought the CAP_CHOWN patch was not sufficient to also solve your
> > bind(2) problem. So if I apply this fix we would not gain a final
> > solution, right? But if you can confirm that applying my CAP_CHOWN patch
> > is sufficient I'm happy to include it into the OpenPKG "bind" package,
> > of course.
>
> Be happy :-) The CAP_CHOWN patch _and_ a "chmod g+w /kolab/var/bind"
> solved the problem. You have to estimate the chmod effect on the
> security!
I checked, a g+w is still acceptable to me from a security point of
view. I've updated the package: patch included, permissions adjusted.
Thanks for your feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
OpenPKG http://openpkg.org
User Communication List openpkg-users@openpkg.org
