From owner-freebsd-ports-bugs@FreeBSD.ORG  Fri Aug 31 22:00:07 2007
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6926016A41B
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Fri, 31 Aug 2007 22:00:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 469C713C46E
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Fri, 31 Aug 2007 22:00:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7VM07jG050918
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Fri, 31 Aug 2007 22:00:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7VM079D050917;
	Fri, 31 Aug 2007 22:00:07 GMT (envelope-from gnats)
Date: Fri, 31 Aug 2007 22:00:07 GMT
Message-Id: <200708312200.l7VM079D050917@freefall.freebsd.org>
To: freebsd-ports-bugs@FreeBSD.org
From: "Internet Partners, Inc. Tech Support" <support@ipinc.net>
Cc: 
Subject: Re: ports/115957: Questionable ownership and security on dspam port
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Internet Partners, Inc. Tech Support" <support@ipinc.net>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2007 22:00:07 -0000

The following reply was made to PR ports/115957; it has been noted by GNATS.

From: "Internet Partners, Inc. Tech Support" <support@ipinc.net>
To: <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: ports/115957: Questionable ownership and security on dspam port
Date: Fri, 31 Aug 2007 14:19:20 -0700

 send-pr ate the first part of this PR so here's the rest:
 
 The Dspam port in /usr/ports/mail/dspam by default installs with the
 following options:
 
 DSPAM_HOME_OWNER=root
 DSPAM_HOME_OWNER=mail
 
 It also sets up the webUI to run suexec.
 
 THe problem here is that under Apache 1.3 the suexec header has a minimum
 UID and GIU in it's header of 100
 
 This makes it impossible to run the dspam webUI. If you try running the
 webUI
 under a dspam user above 100, then it can't read /var/db/dspam/data
 directories.
 If you try running the webUI under a GID of mail, suexec won't allow it to
 run.
 
 The ideal thing from a security standpoint would be for the dspam port to
 install with DSPAM_HOME_OWNER and DSPAM_HOME_OWNER both set to username
 dspam, and have the port create that UID and GID on the system.  That is how
 the port USED to work.  I don't know why the maintainer changed it.
 
 If for some reason dspam must run with root UID in order to work with mail,
 then the port should check the minimum GID in suexec with a test program,
 and
 issue an error to the admin to recompile suexec with a minimum GID of 5,
 then
 the apache entry for the port then runs the dspam vhost web UI under the
 mail group.