Merge remote-tracking branch 'upstream/master' into hardened-stdenv

4 files changed, 78 insertions, 52 deletions

diff --git a/pkgs/servers/mail/opensmtpd/default.nix b/pkgs/servers/mail/opensmtpd/default.nix
index 94bc9f2bfe98..46fc9bc00f2b 100644
--- a/pkgs/servers/mail/opensmtpd/default.nix
+++ b/pkgs/servers/mail/opensmtpd/default.nix
@@ -1,33 +1,51 @@
-{ stdenv, fetchurl, autoconf, automake, libtool, bison
-, libasr, libevent, zlib, openssl, db, pam, cacert
+{ stdenv, lib, fetchurl, autoconf, automake, libtool, bison
+, libasr, libevent, zlib, openssl, db, pam
+
+# opensmtpd requires root for no reason to encrypt passwords, this patch fixes it
+# see also https://github.com/OpenSMTPD/OpenSMTPD/issues/678
+, unpriviledged_smtpctl_encrypt ? true
+
+# This enables you to override the '+' character which typically separates the user from the tag in user+tag@domain.tld
+, tag_char ? null
 }:
 
 stdenv.mkDerivation rec {
   name = "opensmtpd-${version}";
-  version = "5.7.3p2";
+  version = "5.9.2p1";
 
   nativeBuildInputs = [ autoconf automake libtool bison ];
   buildInputs = [ libasr libevent zlib openssl db pam ];
 
   src = fetchurl {
     url = "http://www.opensmtpd.org/archives/${name}.tar.gz";
-    sha256 = "0d2973008d0f66bebb84bed516be6c32617735241cc54dd26643529281a8e52b";
+    sha256 = "07d7f1m5sxyz6mkk228rcm7fsf7350994ayvmhgph333q5rz48im";
   };
 
   patches = [ ./proc_path.diff ];
 
+  postPatch = with builtins; with lib;
+    optionalString (isString tag_char) ''
+      sed -i -e "s,TAG_CHAR.*'+',TAG_CHAR '${tag_char}'," smtpd/smtpd-defines.h
+    '' +
+    optionalString unpriviledged_smtpctl_encrypt ''
+      substituteInPlace smtpd/smtpctl.c --replace \
+        'if (geteuid())' \
+        'if (geteuid() != 0 && !(argc > 1 && !strcmp(argv[1], "encrypt")))'
+    '';
+
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"
     "--with-mantype=doc"
-    "--with-pam"
-    "--without-bsd-auth"
-    "--with-sock-dir=/run"
-    "--with-privsep-user=smtpd"
-    "--with-queue-user=smtpq"
-    "--with-ca-file=/etc/ssl/certs/ca-certificates.crt"
-    "--with-libevent-dir=${libevent.dev}"
-    "--enable-table-db"
+    "--with-auth-pam"
+    "--without-auth-bsdauth"
+    "--with-path-socket=/run"
+    "--with-user-smtpd=smtpd"
+    "--with-user-queue=smtpq"
+    "--with-group-queue=smtpq"
+    "--with-path-CAfile=/etc/ssl/certs/ca-certificates.crt"
+    "--with-libevent=${libevent.dev}"
+    "--with-table-db"
   ];
 
   installFlags = [
@@ -35,14 +53,14 @@ stdenv.mkDerivation rec {
     "localstatedir=\${TMPDIR}"
   ];
 
-  meta = {
+  meta = with stdenv.lib; {
     homepage = https://www.opensmtpd.org/;
     description = ''
       A free implementation of the server-side SMTP protocol as defined by
       RFC 5321, with some additional standard extensions
     '';
-    license = stdenv.lib.licenses.isc;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.rickynils ];
+    license = licenses.isc;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ rickynils obadz ];
   };
 }
diff --git a/pkgs/servers/mail/opensmtpd/extras.nix b/pkgs/servers/mail/opensmtpd/extras.nix
index 0123d19bf3fa..cf93b11ba9aa 100644
--- a/pkgs/servers/mail/opensmtpd/extras.nix
+++ b/pkgs/servers/mail/opensmtpd/extras.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
     "--sysconfdir=/etc"
     "--localstatedir=/var"
     "--with-privsep-user=smtpd"
-    "--with-libevent-dir=${libevent}"
+    "--with-libevent-dir=${libevent.dev}"
 
     "--with-filter-clamav"
     "--with-filter-dkim-signer"
diff --git a/pkgs/servers/mail/opensmtpd/proc_path.diff b/pkgs/servers/mail/opensmtpd/proc_path.diff
index 0e8eac0bb83b..9306685e365e 100644
--- a/pkgs/servers/mail/opensmtpd/proc_path.diff
+++ b/pkgs/servers/mail/opensmtpd/proc_path.diff
@@ -1,11 +1,12 @@
-diff -Naur opensmtpd-5.7.1p1/smtpd/parse.y opensmtpd-5.7.1p1.patched/smtpd/parse.y
---- opensmtpd-5.7.1p1/smtpd/parse.y	2015-06-30 10:13:34.000000000 +0200
-+++ opensmtpd-5.7.1p1.patched/smtpd/parse.y	2015-09-26 08:41:17.012472516 +0200
-@@ -2519,13 +2519,19 @@
+diff --git a/smtpd/parse.y b/smtpd/parse.y
+index ab02719..c1c77d9 100644
+--- a/smtpd/parse.y
++++ b/smtpd/parse.y
+@@ -2534,13 +2534,19 @@ create_filter_proc(char *name, char *prog)
  {
  	struct filter_conf	*f;
  	char			*path;
-+        const char              *proc_path;
++	const char		*proc_path;
  
  	if (dict_get(&conf->sc_filters, name)) {
  		yyerror("filter \"%s\" already defined", name);
@@ -13,64 +14,71 @@ diff -Naur opensmtpd-5.7.1p1/smtpd/parse.y opensmtpd-5.7.1p1.patched/smtpd/parse
  	}
  
 -	if (asprintf(&path, "%s/filter-%s", PATH_LIBEXEC, prog) == -1) {
-+        proc_path = getenv("OPENSMTPD_PROC_PATH");
-+        if (proc_path == NULL) {
-+                proc_path = PATH_LIBEXEC;
-+        }
++	proc_path = getenv("OPENSMTPD_PROC_PATH");
++	if (proc_path == NULL) {
++		proc_path = PATH_LIBEXEC;
++	}
 +
 +	if (asprintf(&path, "%s/filter-%s", proc_path, prog) == -1) {
  		yyerror("filter \"%s\" asprintf failed", name);
  		return (0);
  	}
-diff -Naur opensmtpd-5.7.1p1/smtpd/smtpd.c opensmtpd-5.7.1p1.patched/smtpd/smtpd.c
---- opensmtpd-5.7.1p1/smtpd/smtpd.c	2015-06-30 10:13:34.000000000 +0200
-+++ opensmtpd-5.7.1p1.patched/smtpd/smtpd.c	2015-09-26 08:41:16.998472557 +0200
-@@ -854,6 +854,7 @@
+diff --git a/smtpd/smtpd.c b/smtpd/smtpd.c
+index afc8891..9b0a80f 100644
+--- a/smtpd/smtpd.c
++++ b/smtpd/smtpd.c
+@@ -795,6 +795,7 @@ fork_proc_backend(const char *key, const char *conf, const char *procname)
  	char		path[PATH_MAX];
  	char		name[PATH_MAX];
  	char		*arg;
-+        char            *proc_path;
++	char		*proc_path;
  
  	if (strlcpy(name, conf, sizeof(name)) >= sizeof(name)) {
  		log_warnx("warn: %s-proc: conf too long", key);
-@@ -864,7 +865,12 @@
+@@ -805,7 +806,12 @@ fork_proc_backend(const char *key, const char *conf, const char *procname)
  	if (arg)
  		*arg++ = '\0';
  
 -	if (snprintf(path, sizeof(path), PATH_LIBEXEC "/%s-%s", key, name) >=
-+        proc_path = getenv("OPENSMTPD_PROC_PATH");
-+        if (proc_path == NULL) {
-+                proc_path = PATH_LIBEXEC;
-+        }
++	proc_path = getenv("OPENSMTPD_PROC_PATH");
++	if (proc_path == NULL) {
++		proc_path = PATH_LIBEXEC;
++	}
 +
 +	if (snprintf(path, sizeof(path), "%s/%s-%s", proc_path, key, name) >=
  	    (ssize_t)sizeof(path)) {
  		log_warn("warn: %s-proc: exec path too long", key);
  		return (-1);
-diff -Naur opensmtpd-5.7.1p1/smtpd/table.c opensmtpd-5.7.1p1.patched/smtpd/table.c
---- opensmtpd-5.7.1p1/smtpd/table.c	2015-06-30 10:13:34.000000000 +0200
-+++ opensmtpd-5.7.1p1.patched/smtpd/table.c	2015-09-26 08:41:17.005472536 +0200
-@@ -201,6 +201,7 @@
+diff --git a/smtpd/table.c b/smtpd/table.c
+index 21ee237..95b5164 100644
+--- a/smtpd/table.c
++++ b/smtpd/table.c
+@@ -193,6 +193,7 @@ table_create(const char *backend, const char *name, const char *tag,
  	struct table_backend	*tb;
  	char			 buf[LINE_MAX];
  	char			 path[LINE_MAX];
-+        const char              *proc_path;
++	const char		*proc_path;
  	size_t			 n;
  	struct stat		 sb;
  
-@@ -215,8 +216,14 @@
+@@ -207,11 +208,16 @@ table_create(const char *backend, const char *name, const char *tag,
  	if (name && table_find(name, NULL))
  		fatalx("table_create: table \"%s\" already defined", name);
  
-+        proc_path = getenv("OPENSMTPD_PROC_PATH");
-+        if (proc_path == NULL) {
-+                proc_path = PATH_LIBEXEC;
-+        }
++	proc_path = getenv("OPENSMTPD_PROC_PATH");
++	if (proc_path == NULL) {
++		proc_path = PATH_LIBEXEC;
++	}
 +
  	if ((tb = table_backend_lookup(backend)) == NULL) {
--		if ((size_t)snprintf(path, sizeof(path), PATH_LIBEXEC "/table-%s",
+-		if ((size_t)snprintf(path, sizeof(path), PATH_LIBEXEC"/table-%s",
+-			backend) >= sizeof(path)) {
+-			fatalx("table_create: path too long \""
+-			    PATH_LIBEXEC"/table-%s\"", backend);
 +		if ((size_t)snprintf(path, sizeof(path), "%s/table-%s",
-+                    proc_path,
- 		    backend) >= sizeof(path)) {
- 			fatalx("table_create: path too long \""
- 			    PATH_LIBEXEC "/table-%s\"", backend);
++			proc_path, backend) >= sizeof(path)) {
++			fatalx("table_create: path too long \"%s/table-%s\"",
++				proc_path, backend);
+ 		}
+ 		if (stat(path, &sb) == 0) {
+ 			tb = table_backend_lookup("proc");
diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix
index 70f834791607..392b1014656f 100644
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@@ -7,7 +7,7 @@
 
 let
   ccargs = lib.concatStringsSep " " ([
-    "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl}/include/sasl"
+    "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl.dev}/include/sasl"
     "-DHAS_DB_BYPASS_MAKEDEFS_CHECK"
    ] ++ lib.optional withPgSQL "-DHAS_PGSQL"
      ++ lib.optionals withMySQL [ "-DHAS_MYSQL" "-I${libmysql}/include/mysql" ]