headers
Morgan Weetman | 3 Jun 08:51

Updated RPM - SUSE and Redhat

Hi all,

	I've updated the rpm on SourceForge, the init script now works on SuSE
and Redhat so the release id has changed. Tested on openSUSE 10.3 and
RHEL4, pls let me know if you find any issues,

thnx 

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
Permalink | Reply | 0 comments |
headers
Andre Hübner | 1 Apr 16:20

Re: missing subfolders in /tmp/.policyd-weight

oh, alles klar. Ich dachte nur weil der autor auf der homepage schreibt das 
hier nicht viel los wäre.

ok, ich ändere nun mein setup ein bisschen ab, ist wohl das beste. ich 
entferne den kram aus der master
und starte den policyd-weight als separaten daemon. in der main.cf notiere 
ich dann
check_policy_service inet:127.0.0.1:12525

so wie vorgesehen. nur beim stop -> start hab ich die erfahrung gemacht das 
er da ab und zu hängt. dies kann ich aber umgehen wenn ich 
/tmp/.policyd-weight entferne nach dem stop.
ich baus mal so in das postfix startscript ein, wird das beste sein. mal 
sehen

vielen dank

andre

----- Original Message ----- 
From: "Daniel Hackenberg" <dh@...>
To: "Andre Hübner" <andre.huebner@...>
Sent: Tuesday, April 01, 2008 2:02 PM
Subject: Re: missing subfolders in /tmp/.policyd-weight

So inaktiv ist die Liste gar nicht. Das siehst du, wenn du mal in das
Listen-Archiv unter
http://news.gmane.org/gmane.mail.postfix.policyd%2dweight schaust. Und
da gibt es dann Einträge wie diesen hier
http://article.gmane.org/gmane.mail.postfix.policyd-weight/817
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andre Hübner | 1 Apr 13:26

missing subfolders in /tmp/.policyd-weight

Hi List,

i hope there is enough traffic here to get answers. ;)

Im updateing my postfix-configuration to the new policyd-weight Version: 
0.1.14 beta-17

Only difference to ./policyd-weight defaults is:

 $GROUP           = "nogroup";

policyd-weight.conf is in /etc/

 I do not start policyd-weight by ./policyd-weight start, i have this in my 
master.cf:

 policy-pdw    unix  -       n       n       -       -   spawn   user=polw
    argv=/usr/lib/postfix/policyd-weight

i cannot say the reason why this is made that way, this was made by other 
people

policyd-weight is running and gives a correct checkresult, but between the 
checks are also warnings in the log.

Apr  1 12:41:46 servername postfix/policyd-weight[8958]: warning: 
cache_query: $csock couln't be created: connect: No such file or directory, 
calling spawn_cache
()
Apr  1 12:41:46 servername postfix/policyd-weight[8981]: warning: cache:
(Continue reading)

Permalink | Reply | 2 comments |
headers
Robert Felber | 28 Mar 16:13

security: version update: version 0.1.14 beta-17

Hello,

policyd-weight still did not check the working directory correctly.

    1st: I assumed  [ -L /foo/bar ] is the same as [ -L /foo/bar/ ]

    because the -L tells the file test what to look for. But in the
    latter form it is checked with S_IFDIR. 

    We normalize the path with File::Spec->canonpath as s,/+$,, is
    not sufficient.

    2nd: policyd-weight didn't check the ownership of real directories
    which might have been resulted in a race attack. Policyd-weight once
    gets the stat/lstat and reuses that information in order to
    provide some sort of atomicity of the check_symlnk() sub-routine.

MD5 (policyd-weight)                        =
    68373b7cfeda52b78df6229ed658771e

SHA256 (policyd-weight)                     = 
    4245495685e516e00a363a97aaa17456f48c51fcbdb4458989a9d68db64083bc

MD5 (policyd-weight-0.1.14.17.tar.gz)       =
    c90128d2442ba343e8127dc0dbdcfd9a

SHA256 (policyd-weight-0.1.14.17.tar.gz)    =
    c13bac397cbd8c018b41686da4e4ce9450fb045752d7f0ab518d9836b39dbf36

--

--
(Continue reading)

Permalink | Reply | 4 comments |
headers
Morgan Weetman | 27 Mar 04:01

pw rpm for RHEL / Fedora uploaded to sourceforge

Hi all,

	I have uploaded policyd-weight-0.1.14b15-1rh.noarch.rpm to the
sourceforge page - please note this is a Redhat based release.

I performed some basic testing on RHEL4, RHEL5 and Fedora 8 but please
let me know if you find any problems. The init script in this package is
not compatible with SuSE but I hope to release a SuSE-specific rpm
shortly depending on work commitments,

cheers,

Morgan

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
Permalink | Reply | 0 comments |
headers
Martin Monshausen | 25 Mar 08:51

errors regarding cache

Hello,
we've reinstalled our server recently and since then we've got the following error: (in mail.log)

postfix/policyd-weight[22860]: warning: cache: err: cache: chdir /tmp/.policyd-weight/: No such
file or directory at /usr/local/bin/policyd-weight line 2938, <STDIN> line 24.
postfix/policyd-weight[22859]: warning: cache_query: $csock couln't be created: connect: No such
file or directory, calling spawn_cache()

Can someone please give some advice how to resolve the problem?

I've checked the directory /tmp/.policyd-weight/: it's existing, but it's empty.

We first used the debian package and then updated it with the actual 0.1.14 beta-15 one. All locations are
like in Setup HOWTO...      

Thank's alot!!!

Yours,

Martin

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
Permalink | Reply | 1 comment |
headers
Robert Felber | 25 Mar 01:40

security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)

Hello,

the new version addresses the issue below. Policyd-weight does now exit if it
detects symlinks on directories or sockets at startup or directory creation.

The flaw can lead to altered or deleted files on following systems:

    1: multiuser or 3rd-party-holes hosts that plan to use
       policyd-weight prior to 0.1.14 beta-15

    2: multiuser or 3rd-party-holes hosts that empty the /tmp directory

On systems wich do have an existing working directory this should not have 
an impact as the permissions and ownership is set to write only by root or 
polw, and once the directory is created policyd-weight doesn't delete it.

Workaround/Advice:

users can also use /var/run/.policyd-weight as $LOCKPATH.
Users who change the $LOCKPATH must issue 'policyd-weight -k stop' first.
Otherwise they have to kill the children and cache manually.

MD5 (policyd-weight)                        = 
    b33265ca797eb545ed9df5b0032282e5

SHA256 (policyd-weight)                     =
    84aba66c39a016e60c073a2a2063d0433fc7f28d87baafb5846c48cb26bea5db

MD5 (policyd-weight-0.1.14.15.tar.gz)       =
    a3b23cdb37c1179587305b65d9a18515
(Continue reading)

Permalink | Reply | 9 comments |
headers
Morgan Weetman | 15 Feb 00:31

policyd-weight maintenance

Summary:[offer to maintain policyd-weight]

> However, if you want to take over development and maintainership
> you are welcome to also run the policyd-weight.org web service.

I have a server to run the site from but don't want to tread on any
toes, being new here... if anyone else is interested, please say so

> Also you should sign on the mailing list and tell others
> that you want to continue, and what your plans and _your_ future
> philosophy with policyd-weight are.
> 
> 
> _My_ current philosophy was:
> 
>     - as less modules as possible
>     - low latency checks first
>     - as many reliable short circuit decissions as possible

agreed, efficiency is at the top of my list, I would also like to see
policyd-weight packaged to make it more accessible. I'll start reading
code and we'll see if there are any other offers..

cheers,

Morgan

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
(Continue reading)

Permalink | Reply | 1 comment |
headers
Robert Felber | 14 Feb 08:36

Re: policyd-weight maintenance

On Thu, Feb 14, 2008 at 03:00:41PM +1100, Morgan Weetman wrote:
> Hi Robert,
> 
>     I am a systems engineer from Australia and I have been using
> policyd-weight for several months on my internet facing mail relays, the
> performance of the servers is vastly improved.
> 
>     I read your announcement regarding stopping development and wanted
> to assist if possible, I have not read through the code to gain a full
> understanding but perl is my language of choice. Please let me know if /
> how I can help you out,

The major problem of policyd-weight is, that it is somewhat
non-deterministic - at least from "not-familiar-with-the-code"-point of
view.

Because of this it does also lack a good documentation which
expresses the constraints of each check and their different
results such, that it would make users able to find the right
knob to adjust  -- easily, if ever.

However, if you want to take over development and maintainership
you are welcome to also run the policyd-weight.org web service.

Also you should sign on the mailing list and tell others
that you want to continue, and what your plans and _your_ future
philosophy with policyd-weight are.

_My_ current philosophy was:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Robert Felber | 9 Feb 13:52

Announce: I stop development of policyd-weight

Hello,

to put it short: I don't develop policyd-weight any further, nor do
I do any patching.

I don't have the time and resources anymore. Real- and Work-Life 
keeps me way to busy (When I started policyd-weight in 2005
I was able to program up to 48 hours. Today, with family 
and so on, I only have 1 to 2 hours with interrupts - while 
I need up to 1 or 2 hours to become familiar with the code again).

I do this step also because I realized I cannot provide, due to
the time-constraints, the constant reliability required for 
such a project anymore. I think, it is my responsibility to
stop, when the quality/reliability of development gets lower.
Probably I should even have done this step earlier.

Another reason is, if I receive patches, they often contain
module dependencies. I don't like to reject such patches
or to stress users to not use modules. You will know what I
mean if you received the Nth patch containing yet another simple
module and if you look one day at the memory footprint or if you
find yourself debugging N foreign modules.

If someone wants to continue with policyd-weight then it would
also be nice, if he takes over the policyd-weight.org domain.
I also appreciate maintainers-only.

Those seeking an alternative to policyd-weight might want to have a
look at postfwd - which makes the step to stop on policyd-weight
(Continue reading)

Permalink | Reply | 1 comment |
headers
Justin Piszcz | 16 Jan 19:37

policyd-weight init.d/script needs 1 fix

Package: policyd-weight
Version: 0.1.14.5-1

Distribution: Debian Testing (Lenny)

If you do not kill the cache instance, when you (in Debian) 
/etc/init.d/policyd-weight stop, it only stops the master/child (but not 
the cache) process.

   echo -n "Stopping $DESC: "
+   # kill cache instance first.
+    $DAEMON -k
     $DAEMON $DAEMON_OPTS stop
   echo "$NAME."
   ;;

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
Permalink | Reply | 0 comments |

Gmane