mail-filter/opendkim: new revision with a dedicated "opendkim" user.

Prior to this revision, the OpenDKIM daemon would run as the "milter"
user, which is a username shared by a few other related packages.
However, that user has the ability to read your private DKIM signing
keys, and no other services should have access to those. Thus, sharing
the user account creates a security risk. In the new revision, a
dedicated "opendkim" user is created for the OpenDKIM daemon. The
configuration, OpenRC service script, and systemd service files have
all been updated with the new user name.

In addition, the permissions on /var/lib/opendkim have been tightened
so members of the "opendkim" group can only read it by default. The
daemon does not need to modify your keys, in particular, and should
not be able to. One downside to this is that the "Statistics"
configuration directive that was enabled by default with USE=berkdb
will no longer work out-of-the-box. It will still work, but the
administrator will need to grant write access to the file that he
designates for the statistics data. But since it won't work without
some extra fiddling, it has been removed from the configuration file
that we install.

An ewarn notifies users who are upgrading of the account name change.

Closes: https://bugs.gentoo.org/629888
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Package-Manager: Portage-2.3.62, Repoman-2.3.11

3 files changed, 92 insertions, 15 deletions

diff --git a/mail-filter/opendkim/files/opendkim-r2.service b/mail-filter/opendkim/files/opendkim-r2.service
new file mode 100644
index 000000000000..006ff822d7f9
--- /dev/null
+++ b/mail-filter/opendkim/files/opendkim-r2.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=DomainKeys Identified Mail (DKIM) Milter
+Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
+After=network.target nss-lookup.target syslog.target
+
+[Service]
+ExecStart=/usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf
+ExecReload=/bin/kill -USR1 $MAINPID
+RuntimeDirectory=opendkim
+RuntimeDirectoryMode=0750
+User=opendkim
+Group=opendkim
+
+[Install]
+WantedBy=multi-user.target
diff --git a/mail-filter/opendkim/files/opendkim.init.r4 b/mail-filter/opendkim/files/opendkim.init.r4
new file mode 100644
index 000000000000..8c349b85dd31
--- /dev/null
+++ b/mail-filter/opendkim/files/opendkim.init.r4
@@ -0,0 +1,55 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+CONFFILE=/etc/opendkim/${SVCNAME}.conf
+
+depend() {
+	use dns logger net
+	before mta
+}
+
+check_cfg() {
+
+	PIDFILE=$(sed -ne 's/^[[:space:]]*PidFile[[:space:]]\+//p' "${CONFFILE}")
+	local PIDDIR="${PIDFILE%/*}"
+	if [ ! -d  "${PIDDIR}" ] ; then
+		checkpath -q -d -o opendkim:opendkim -m 0755 "${PIDDIR}" || return 1
+	fi
+	if [ ! -f "${CONFFILE}" ] ; then
+		eerror "Configuration file ${CONFFILE} is missing"
+		return 1
+	fi
+	if [ -z "${PIDFILE}" ] ; then
+		eerror "Configuration file needs PidFile setting - recommend adding 'PidFile /var/run/opendkim/${SVCNAME}.pid' to ${CONFFILE}"
+		return 1
+	fi
+
+	if egrep -q '^[[:space:]]*Background[[:space:]]+no' "${CONFFILE}" ; then
+		eerror "${SVCNAME} service cannot run with Background key set to yes!"
+		return 1
+	fi
+}
+
+start() {
+	check_cfg || return 1
+	
+	# Remove stalled Unix socket if no other process is using it
+	local UNIX_SOCKET=$(sed -ne 's/^[[:space:]]*Socket[[:space:]]\+\(unix\|local\)://p' "${CONFFILE}")
+
+	if [ -S "${UNIX_SOCKET}" ] && ! fuser -s "${UNIX_SOCKET}"; then
+		rm "${UNIX_SOCKET}"
+	fi
+
+	ebegin "Starting OpenDKIM"
+	start-stop-daemon --start --pidfile "${PIDFILE}" \
+		--exec /usr/sbin/opendkim -- -x "${CONFFILE}"
+	eend $?
+}
+
+stop() {
+	check_cfg || return 1
+	ebegin "Stopping OpenDKIM"
+	start-stop-daemon --stop --pidfile "${PIDFILE}"
+	eend $?
+}
diff --git a/mail-filter/opendkim/opendkim-2.10.3-r5.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r6.ebuild
index fe0d7c091a71..f82109150545 100644
--- a/mail-filter/opendkim/opendkim-2.10.3-r5.ebuild
+++ b/mail-filter/opendkim/opendkim-2.10.3-r6.ebuild
@@ -45,11 +45,9 @@ PATCHES=(
 )
 
 pkg_setup() {
-	enewgroup milter
-	# mail-milter/spamass-milter creates milter user with this home directory
-	# For consistency reasons, milter user must be created here with this home directory
-	# even though this package doesn't need a home directory for this user (#280571)
-	enewuser milter -1 -1 /var/lib/milter milter
+	# This user can read your private keys, and must therefore not be
+	# shared with any other package.
+	enewuser opendkim
 }
 
 src_prepare() {
@@ -58,7 +56,7 @@ src_prepare() {
 	sed -i -e 's:/var/db/dkim:/etc/opendkim:g' \
 		   -e 's:/var/db/opendkim:/var/lib/opendkim:g' \
 		   -e 's:/etc/mail:/etc/opendkim:g' \
-		   -e 's:mailnull:milter:g' \
+		   -e 's:mailnull:opendkim:g' \
 		   -e 's:^#[[:space:]]*PidFile.*:PidFile /run/opendkim/opendkim.pid:' \
 		   opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \
 		   stats/opendkim-reportstats{,.in} || die
@@ -123,12 +121,16 @@ src_install() {
 
 	dosbin stats/opendkim-reportstats
 
-	newinitd "${FILESDIR}/opendkim.init.r3" opendkim
-	systemd_newunit "${FILESDIR}/opendkim-r1.service" opendkim.service
+	newinitd "${FILESDIR}/opendkim.init.r4" opendkim
+	systemd_newunit "${FILESDIR}/opendkim-r2.service" opendkim.service
 
 	dodir /etc/opendkim
 	keepdir /var/lib/opendkim
-	fowners milter:milter /var/lib/opendkim
+
+	# The OpenDKIM data (particularly, your keys) should be read-only to
+	# the UserID that the daemon runs as.
+	fowners root:opendkim /var/lib/opendkim
+	fperms 750 /var/lib/opendkim
 
 	# default configuration
 	if [ ! -f "${ROOT}"/etc/opendkim/opendkim.conf ]; then
@@ -137,11 +139,7 @@ src_install() {
 		if use unbound; then
 			echo TrustAnchorFile /etc/dnssec/root-anchors.txt >> "${D}"/etc/opendkim/opendkim.conf
 		fi
-		echo UserID milter >> "${D}"/etc/opendkim/opendkim.conf
-		if use berkdb; then
-			echo Statistics /var/lib/opendkim/stats.dat >> \
-				"${D}"/etc/opendkim/opendkim.conf
-		fi
+		echo UserID opendkim >> "${D}"/etc/opendkim/opendkim.conf
 	fi
 }
 
@@ -152,6 +150,15 @@ pkg_postinst() {
 		elog "  emerge --config ${CATEGORY}/${PN}"
 		elog "It will help you create your key and give you hints on how"
 		elog "to configure your DNS and MTA."
+	else
+		ewarn "The user account for the OpenDKIM daemon has changed"
+		ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services"
+		ewarn "from being able to read your private keys. You should"
+		ewarn "adjust your existing configuration to use the \"opendkim\""
+		ewarn "user and group, and change the permissions on"
+		ewarn "${ROOT}var/lib/opendkim to root:opendkim with mode 0750."
+		ewarn "The owner and group of the files within that directory"
+		ewarn "will likely need to be adjusted as well."
 	fi
 }
 
@@ -171,7 +178,7 @@ pkg_config() {
 		# generate the private and public keys
 		opendkim-genkey -b ${keysize} -D "${ROOT}"etc/opendkim/ \
 			-s ${selector} -d '(your domain)' && \
-			chown milter:milter \
+			chown opendkim:opendkim \
 			"${ROOT}"etc/opendkim/"${selector}".private || \
 				{ eerror "Failed to create private and public keys." ; return 1; }
 		chmod go-r "${ROOT}"etc/opendkim/"${selector}".private