update min uid value to 1000 as everywhere
use sysusers method for user creation related: #RHEL-40657
This commit is contained in:
Michal Hlavinka
parent
5088b36637
commit
1d51027feb
@ -1,6 +1,15 @@
|
||||
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
|
||||
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
|
||||
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100
|
||||
diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
|
||||
--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
|
||||
+++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200
|
||||
@@ -175,7 +175,7 @@ namespace inbox {
|
||||
# to make sure that users can't log in as daemons or other system users.
|
||||
# Note that denying root logins is hardcoded to dovecot binary and can't
|
||||
# be done even if first_valid_uid is set to 0.
|
||||
-#first_valid_uid = 500
|
||||
+first_valid_uid = 1000
|
||||
#last_valid_uid = 0
|
||||
|
||||
# Valid GID range for users, defaults to non-root/wheel. Users having
|
||||
@@ -322,6 +322,7 @@ protocol !indexer-worker {
|
||||
# them simultaneously.
|
||||
#mbox_read_locks = fcntl
|
||||
@ -9,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings
|
||||
|
||||
# Maximum time to wait for lock (all of them) before aborting.
|
||||
#mbox_lock_timeout = 5 mins
|
||||
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
|
||||
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
|
||||
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100
|
||||
diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
|
||||
--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
|
||||
+++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200
|
||||
@@ -3,7 +3,9 @@
|
||||
##
|
||||
|
||||
@ -23,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings
|
||||
|
||||
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
|
||||
# dropping root privileges, so keep the key file unreadable by anyone but
|
||||
@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
|
||||
@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
|
||||
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
# To disable non-EC DH, use:
|
||||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
|
||||
48
dovecot.spec
48
dovecot.spec
@ -6,7 +6,7 @@ Name: dovecot
|
||||
Epoch: 1
|
||||
Version: 2.3.21
|
||||
%global prever %{nil}
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
|
||||
License: MIT AND LGPL-2.1-only
|
||||
|
||||
@ -21,6 +21,8 @@ Source10: dovecot.tmpfilesd
|
||||
|
||||
#our own
|
||||
Source14: dovecot.conf.5
|
||||
Source15: prestartscript
|
||||
Source16: dovecot.sysusers
|
||||
|
||||
# 3x Fedora/RHEL specific
|
||||
Patch1: dovecot-2.0-defaultconfig.patch
|
||||
@ -53,8 +55,6 @@ Patch23: dovecot-2.3.20-nolibotp.patch
|
||||
# adapted from 2.4 dovecot, issue #RHEL-33733
|
||||
Patch24: dovecot-2.3.21-noengine.patch
|
||||
|
||||
Source15: prestartscript
|
||||
|
||||
BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
|
||||
BuildRequires: libtool, autoconf, automake, pkgconfig
|
||||
BuildRequires: sqlite-devel
|
||||
@ -141,20 +141,20 @@ This package provides the development files for dovecot.
|
||||
# standardize name, so we don't have to update patches and scripts
|
||||
mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
|
||||
|
||||
%patch -P1 -p1 -b .default-settings
|
||||
%patch -P2 -p1 -b .mkcert-permissions
|
||||
%patch -P3 -p1 -b .mkcert-paths
|
||||
%patch -P6 -p1 -b .waitonline
|
||||
%patch -P8 -p1 -b .initbysystemd
|
||||
%patch -P9 -p1 -b .systemd_w_protectsystem
|
||||
%patch -P15 -p1 -b .bigkey
|
||||
%patch -P16 -p1 -b .opensslhmac
|
||||
%patch -P17 -p1 -b .fixvalcond
|
||||
%patch -P18 -p1 -b .valbasherr
|
||||
%patch -P20 -p1 -b .opensslv3
|
||||
%patch -P21 -p1 -b .7bad6a24
|
||||
%patch -P22 -p1 -b .c99
|
||||
%patch -P23 -p1 -b .nolibotp
|
||||
%patch -P 1 -p1 -b .default-settings
|
||||
%patch -P 2 -p1 -b .mkcert-permissions
|
||||
%patch -P 3 -p1 -b .mkcert-paths
|
||||
%patch -P 6 -p1 -b .waitonline
|
||||
%patch -P 8 -p1 -b .initbysystemd
|
||||
%patch -P 9 -p1 -b .systemd_w_protectsystem
|
||||
%patch -P 15 -p1 -b .bigkey
|
||||
%patch -P 16 -p1 -b .opensslhmac
|
||||
%patch -P 17 -p1 -b .fixvalcond
|
||||
%patch -P 18 -p1 -b .valbasherr
|
||||
%patch -P 20 -p1 -b .opensslv3
|
||||
%patch -P 21 -p1 -b .7bad6a24
|
||||
%patch -P 22 -p1 -b .c99
|
||||
%patch -P 23 -p1 -b .nolibotp
|
||||
%patch -P 24 -p1 -b .noengine
|
||||
cp run-test-valgrind.supp dovecot-pigeonhole/
|
||||
# valgrind would fail with shell wrapper
|
||||
@ -261,6 +261,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
|
||||
#install waitonline script
|
||||
install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
|
||||
|
||||
install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers
|
||||
|
||||
# generate ghost .pem files
|
||||
mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
|
||||
mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
|
||||
@ -298,13 +300,7 @@ popd
|
||||
|
||||
%pre
|
||||
#dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid
|
||||
getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot
|
||||
getent passwd dovecot >/dev/null || \
|
||||
useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
|
||||
|
||||
getent group dovenull >/dev/null || groupadd -r dovenull
|
||||
getent passwd dovenull >/dev/null || \
|
||||
useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull
|
||||
%sysusers_create_compat %{SOURCE16}
|
||||
|
||||
if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
|
||||
then
|
||||
@ -382,6 +378,7 @@ make check
|
||||
|
||||
|
||||
%_tmpfilesdir/dovecot.conf
|
||||
%{_sysusersdir}/dovecot.sysusers
|
||||
%{_unitdir}/dovecot.service
|
||||
%{_unitdir}/dovecot-init.service
|
||||
%{_unitdir}/dovecot.socket
|
||||
@ -519,6 +516,9 @@ make check
|
||||
%{_libdir}/%{name}/dict/libdriver_pgsql.so
|
||||
|
||||
%changelog
|
||||
* Tue Jun 18 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-10
|
||||
- set min uid to 1000
|
||||
|
||||
* Thu Jun 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-9
|
||||
- do not run during systemd commands during leap upgrade
|
||||
|
||||
|
||||
9
dovecot.sysusers
Normal file
9
dovecot.sysusers
Normal file
@ -0,0 +1,9 @@
|
||||
#Type Name ID GECOS Home directory Shell
|
||||
g dovecot 97
|
||||
u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
|
||||
m dovecot dovecot
|
||||
|
||||
g dovenull -
|
||||
u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
|
||||
m dovenull dovenull
|
||||
|
||||
Loading…
Reference in New Issue
Block a user