Subject: pkg/21012: sendmail pkg uses /usr/adm/sm.bin for smrsh restricted programs
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@mines.edu>
List: netbsd-bugs
Date: 04/04/2003 15:40:38
>Number: 21012
>Category: pkg
>Synopsis: sendmail pkg uses /usr/adm/sm.bin for smrsh restricted programs
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Fri Apr 04 14:41:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Jim Bernard
>Release: NetBSD 1.6Q
>Organization:
>Environment:
System: NetBSD knox 1.6Q NetBSD 1.6Q (KNOX-$Revision: 1.1 $) #0: Tue Apr 1 09:27:55 MST 2003 jim@roc:/wd1/var/tmp/compile/sys/arch/i386/compile/KNOX i386
Architecture: i386
Machine: i386
>Description:
The sendmail package, in contrast to the in-tree version of
sendmail, builds smrsh so that it looks in /usr/adm/sm.bin
for the programs that are to be permitted in .forward files.
When was the last time you saw a system with /usr/adm?
The in-tree version uses /usr/libexec/sm.bin (set in
.../src/gnu/usr.sbin/sendmail/smrsh/Makefile).
>How-To-Repeat:
cd ...pkgsrc/mail/sendmail
make
strings work*/sendmail-8.12.9/obj.*/smrsh/smrsh | grep sm.bin
And, for comparison:
strings /usr/libexec/smrsh | grep sm.bin
>Fix:
The file include/sm/conf.h contains some OS-specific customizations,
including some for SMRSH_CMDDIR. So that's a good place to add an
appropriate definition for NetBSD. This should really be fed back
to sendmail.org, and it would make sense after they update the
master version to remove the setting of CMDDIR in the in-tree
version, as well as removing the patch from the package. For now,
the patch below will suffice.
I've set the directory to /usr/libexec/sm.bin to match the in-tree
version, rather than /usr/pkg/libexec/sm.bin. There are several
reasons for this choice:
* The pkg version of sendmail is supposed to replace the in-tree
version, so it should be as easy to drop into place as possible
(i.e., it shouldn't be necessary to set up an additional sm.bin
directory just to make it work like the in-tree version).
* Users shouldn't modify /usr/pkg/not_etc. (I'm not crazy about
modifying /usr/libexec/... either, but at least it doesn't
break PLISTs, and the changes survive most upgrades.)
* The setup of sm.bin is logically a system-configuration issue,
not a package-configuration issue, and /usr/pkg might be
shared. (Of course, so might /usr/libexec, so, maybe it should
really be in etc or var/something.)
But I'm sure someone will disagree :-).
BTW: One might argue that the man page should be modified as well.
But: (a) it's not modified in the in-tree version, (b) it refers
to /usr/adm/sm.bin as the _default_ location, thus warning the
user that that might not be the actual one, and (c) the directory
might be different for other OS's supported by pkgsrc, so it gets
complicated to get them all right.
And one last point: I didn't think it appropriate to make the
location of the sm.bin directory depend on the version of the
NetBSD.
Well, and just one more: maybe some additional sm.bin settings
for other OS's supported by pkgsrc might be appropriate.
--- include/sm/conf.h.orig 2003-03-06 11:38:06.000000000 -0700
+++ include/sm/conf.h 2003-04-04 14:31:36.000000000 -0700
@@ -888,10 +888,13 @@
# define SPT_TYPE SPT_BUILTIN /* setproctitle is in libc */
# endif /* defined(__NetBSD__) && (NetBSD > 199307 || NetBSD0_9 > 1) */
# if defined(__NetBSD__) && ((__NetBSD_Version__ > 102070000) || (NetBSD1_2 > 8) || defined(NetBSD1_4) || defined(NetBSD1_3))
# define HASURANDOMDEV 1 /* has /dev/urandom(4) */
# endif /* defined(__NetBSD__) && ((__NetBSD_Version__ > 102070000) || (NetBSD1_2 > 8) || defined(NetBSD1_4) || defined(NetBSD1_3)) */
+# if defined(__NetBSD__)
+# define SMRSH_CMDDIR "/usr/libexec/sm.bin"
+# endif /* defined(__NetBSD__) */
# if defined(__FreeBSD__)
# define HASSETLOGIN 1 /* has setlogin(2) */
# if __FreeBSD_version >= 227001
# define HASSRANDOMDEV 1 /* has srandomdev(3) */
# define HASURANDOMDEV 1 /* has /dev/urandom(4) */
>Release-Note:
>Audit-Trail:
>Unformatted: