Overview
Request 1008186 accepted
- Do not start sendmail-client as user mail as this one is not
allowed to check port smtp aka 25
- Fix sm-client.pre script as ports are not only numbers but
also alias names
- Rework system service unit files
* sendmail-client now use user and group mail which requires
* /etc/mail/system/ becomes readable by all users e.g. mail
* sendmail now uses -bD to avoid a fork, this requires Type=exec
- Various bug fixes
- Require user and group mail for post and verify scriptlets
- Add a %ghost for /run/sendmail whic his created by
tmpfile systemd configuration of sendmail
- Own /var/spool/mail (boo#1179574)
- Avoid older alias.db
- Avoid that sendmail can not write its pid file
- Allow sendmail and its helper like maildrop and procmail
to write into the users mail folder
- Created by WernerFink
- In state accepted
- Supersedes 990515 1005637
Needs audit
Might be but sendmail should be functional and this is currently not the case as I've learned the hard way at home. The first problem was this automatic change of the systemd service done by the security team had broken mail drop delivery ... and sendmail was not able to create its pid file anymore
Yes, those "automatic hardening" submissions are awful and need to be treated with utmost care if not declined directly. I think you missed the "This has not been tested." part in the SR description back then. Feel free to just revert the change.
Ah ... I've discussed this with security peoples and they had insisted.
Now as I've tested it as sysadmin/postmaster and as user I know that it is broken.
sendmail.x86_64: E: permissions-file-digest-mismatch (Badness: 10) /etc/permissions.d/sendmail expected sha256:423780cfd9d5935a26981b1cfede12816c1ce4c0982c22dd28d4ceadeed5cce5, has:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 sendmail.x86_64: E: permissions-file-digest-mismatch (Badness: 10) /etc/permissions.d/sendmail.paranoid expected sha256:afa2a74dfef4ac98dd048a7c962a3528e4b5c932e538f7c3666f167924de2d4e, has:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c A permissions.d drop-in snippet changed in content. Packaging permissions.d drop-in snippets requires a review and whitelisting by the SUSE security team. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the package by the security team. Please refer to https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for more information. sendmail.x86_64: W: permissions-dir-without-slash /etc/mail/auth sendmail.x86_64: W: permissions-dir-without-slash /etc/mail/certs sendmail.x86_64: W: permissions-dir-without-slash /etc/mail/system sendmail.x86_64: W: permissions-dir-without-slash /usr/libexec/sendmail.d/bin sendmail.x86_64: W: permissions-dir-without-slash /var/spool/mqueue the entry in the permissions file refers to a directory. Please contact security@suse.de to append a slash to the entry in order to avoid security problems. Please refer to https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for more information.
Request History
WernerFink created request
- Do not start sendmail-client as user mail as this one is not
allowed to check port smtp aka 25
- Fix sm-client.pre script as ports are not only numbers but
also alias names
- Rework system service unit files
* sendmail-client now use user and group mail which requires
* /etc/mail/system/ becomes readable by all users e.g. mail
* sendmail now uses -bD to avoid a fork, this requires Type=exec
- Various bug fixes
- Require user and group mail for post and verify scriptlets
- Add a %ghost for /run/sendmail whic his created by
tmpfile systemd configuration of sendmail
- Own /var/spool/mail (boo#1179574)
- Avoid older alias.db
- Avoid that sendmail can not write its pid file
- Allow sendmail and its helper like maildrop and procmail
to write into the users mail folder
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
RBrownFactory set openSUSE:Factory:Staging:H as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:H"
RBrownFactory accepted review
Picked "openSUSE:Factory:Staging:H"
RBrownFactory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
RBrownFactory accepted review
Unstaged from project "openSUSE:Factory:Staging:H"
RBrownFactory set openSUSE:Factory:Staging:E as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:E"
RBrownFactory accepted review
Picked "openSUSE:Factory:Staging:E"
dimstar accepted review
favogt_factory accepted review
Staging Project openSUSE:Factory:Staging:E got accepted.
favogt_factory approved review
Staging Project openSUSE:Factory:Staging:E got accepted.
favogt_factory accepted request
Staging Project openSUSE:Factory:Staging:E got accepted.
Please test together with SR#1007830 , Thansk a lot
Please use same staging as for rpmlint otherwise it fails
openSUSE:Factory:Staging:H -> openSUSE:Factory:Staging:D