From c02aec2a6880fadd2b4c4f6a2486831a887627fc Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Wed, 20 Feb 2008 00:00:00 -0500
Subject: [PATCH] postfix-2.6-20080220

---
 postfix/HISTORY                               | 21 +++++++---
 postfix/README_FILES/ADDRESS_REWRITING_README | 10 ++---
 postfix/README_FILES/DEBUG_README             | 10 ++---
 postfix/html/ADDRESS_REWRITING_README.html    |  2 +-
 postfix/html/DEBUG_README.html                |  2 +-
 postfix/html/master.8.html                    | 12 ++++--
 postfix/man/man8/master.8                     | 14 +++++--
 postfix/proto/ADDRESS_REWRITING_README.html   |  2 +-
 postfix/proto/DEBUG_README.html               |  2 +-
 postfix/src/global/mail_version.h             |  2 +-
 postfix/src/master/Makefile.in                |  1 +
 postfix/src/master/master.c                   | 42 +++++++++++++++++--
 12 files changed, 89 insertions(+), 31 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 2f788287e..22b7bc5ce 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -14337,12 +14337,21 @@ Apologies for any names omitted.
 
 20080212
 
-	Feature: check_reverse_client_access, to make access decisions
-	based on the unverified client hostname.  For safety reasons
-	an OK result is not allowed.  Noel Jones. Files:
-	smtpd/smtpd_check.c plus header files and documentation.
+	Feature: check_reverse_client_hostname_access, to make
+	access decisions based on the unverified client hostname.
+	For safety reasons an OK result is not allowed.  Noel Jones.
+	Files: smtpd/smtpd_check.c plus header files and documentation.
 
 20080215
 
-	Safety: break SASL loop in case both the SASL library and the
-	remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
+	Safety: break SASL loop in case both the SASL library and
+	the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
+
+20080220
+
+	Safety: the master daemon now sets an exclusive lock on a
+	file $data_directory/master.lock, so that the data directory
+	can't be shared between multiple Postfix instances.  This
+	would corrupt files that rely on single-writer updates
+	(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
+	master/master.c.
diff --git a/postfix/README_FILES/ADDRESS_REWRITING_README b/postfix/README_FILES/ADDRESS_REWRITING_README
index b7e75ad5a..63786eb89 100644
--- a/postfix/README_FILES/ADDRESS_REWRITING_README
+++ b/postfix/README_FILES/ADDRESS_REWRITING_README
@@ -752,11 +752,11 @@ Examples:
 
 DDeebbuuggggiinngg yyoouurr aaddddrreessss mmaanniippuullaattiioonnss
 
-With Postfix version 2.1 and later you can ask Postfix to produce mail delivery
-reports for debugging purposes. These reports not only show sender/recipient
-addresses after address rewriting and alias expansion or forwarding, they also
-show information about delivery to mailbox, delivery to non-Postfix command,
-responses from remote SMTP servers, and so on.
+Postfix version 2.1 and later can produce mail delivery reports for debugging
+purposes. These reports not only show sender/recipient addresses after address
+rewriting and alias expansion or forwarding, they also show information about
+delivery to mailbox, delivery to non-Postfix command, responses from remote
+SMTP servers, and so on.
 
 Postfix can produce two types of mail delivery reports for debugging:
 
diff --git a/postfix/README_FILES/DEBUG_README b/postfix/README_FILES/DEBUG_README
index fd447f8c2..6e041d733 100644
--- a/postfix/README_FILES/DEBUG_README
+++ b/postfix/README_FILES/DEBUG_README
@@ -64,11 +64,11 @@ The nature of each problem is indicated as follows:
 
 DDeebbuuggggiinngg PPoossttffiixx ffrroomm iinnssiiddee
 
-With Postfix version 2.1 and later you can ask Postfix to produce mail delivery
-reports for debugging purposes. These reports not only show sender/recipient
-addresses after address rewriting and alias expansion or forwarding, they also
-show information about delivery to mailbox, delivery to non-Postfix command,
-responses from remote SMTP servers, and so on.
+Postfix version 2.1 and later can produce mail delivery reports for debugging
+purposes. These reports not only show sender/recipient addresses after address
+rewriting and alias expansion or forwarding, they also show information about
+delivery to mailbox, delivery to non-Postfix command, responses from remote
+SMTP servers, and so on.
 
 Postfix can produce two types of mail delivery reports for debugging:
 
diff --git a/postfix/html/ADDRESS_REWRITING_README.html b/postfix/html/ADDRESS_REWRITING_README.html
index f2243516d..609060dea 100644
--- a/postfix/html/ADDRESS_REWRITING_README.html
+++ b/postfix/html/ADDRESS_REWRITING_README.html
@@ -1125,7 +1125,7 @@ extension, is appended to "sysadmin". For example, mail for
 
 <h2> <a name="debugging"> Debugging your address manipulations </a> </h2>
 
-<p> With Postfix version 2.1 and later you can ask Postfix to
+<p> Postfix version 2.1 and later can
 produce mail delivery reports for debugging purposes. These reports
 not only show sender/recipient addresses after address rewriting
 and alias expansion or forwarding, they also show information about
diff --git a/postfix/html/DEBUG_README.html b/postfix/html/DEBUG_README.html
index fd648c484..48dea6687 100644
--- a/postfix/html/DEBUG_README.html
+++ b/postfix/html/DEBUG_README.html
@@ -113,7 +113,7 @@ configuration errors that could become a problem later. </p>
 
 <h2><a name="trace_mail">Debugging Postfix from inside</a> </h2>
 
-<p> With Postfix version 2.1 and later you can ask Postfix to
+<p> Postfix version 2.1 and later can
 produce mail delivery reports for debugging purposes. These reports
 not only show sender/recipient addresses after address rewriting
 and alias expansion or forwarding, they also show information about
diff --git a/postfix/html/master.8.html b/postfix/html/master.8.html
index 859474805..2d5242ec3 100644
--- a/postfix/html/master.8.html
+++ b/postfix/html/master.8.html
@@ -168,9 +168,13 @@ MASTER(8)                                                            MASTER(8)
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
-       /etc/postfix/<a href="postconf.5.html">main.cf</a>, global configuration file.
-       /etc/postfix/<a href="master.5.html">master.cf</a>, master server configuration file.
-       /var/spool/postfix/pid/master.pid, master lock file.
+       To expand the directory names below into their actual val-
+       ues, use the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" etc.
+
+       $<a href="postconf.5.html#config_directory">config_directory</a>/<a href="postconf.5.html">main.cf</a>, global configuration file.
+       $<a href="postconf.5.html#config_directory">config_directory</a>/<a href="master.5.html">master.cf</a>, master server configuration file.
+       $<a href="postconf.5.html#queue_directory">queue_directory</a>/pid/master.pid, master lock file.
+       $<a href="postconf.5.html#data_directory">data_directory</a>/master.lock, master lock file.
 
 <b>SEE ALSO</b>
        <a href="qmgr.8.html">qmgr(8)</a>, queue manager
@@ -180,7 +184,7 @@ MASTER(8)                                                            MASTER(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/man/man8/master.8 b/postfix/man/man8/master.8
index bc20cda9d..3c50f9889 100644
--- a/postfix/man/man8/master.8
+++ b/postfix/man/man8/master.8
@@ -148,9 +148,17 @@ records, so that "smtpd" becomes, for example, "postfix/smtpd".
 .SH "FILES"
 .na
 .nf
-/etc/postfix/main.cf, global configuration file.
-/etc/postfix/master.cf, master server configuration file.
-/var/spool/postfix/pid/master.pid, master lock file.
+.ad
+.fi
+To expand the directory names below into their actual values,
+use the command "\fBpostconf config_directory\fR" etc.
+.na
+.nf
+
+$config_directory/main.cf, global configuration file.
+$config_directory/master.cf, master server configuration file.
+$queue_directory/pid/master.pid, master lock file.
+$data_directory/master.lock, master lock file.
 .SH "SEE ALSO"
 .na
 .nf
diff --git a/postfix/proto/ADDRESS_REWRITING_README.html b/postfix/proto/ADDRESS_REWRITING_README.html
index 3fef90643..94612cc16 100644
--- a/postfix/proto/ADDRESS_REWRITING_README.html
+++ b/postfix/proto/ADDRESS_REWRITING_README.html
@@ -1125,7 +1125,7 @@ extension, is appended to "sysadmin". For example, mail for
 
 <h2> <a name="debugging"> Debugging your address manipulations </a> </h2>
 
-<p> With Postfix version 2.1 and later you can ask Postfix to
+<p> Postfix version 2.1 and later can
 produce mail delivery reports for debugging purposes. These reports
 not only show sender/recipient addresses after address rewriting
 and alias expansion or forwarding, they also show information about
diff --git a/postfix/proto/DEBUG_README.html b/postfix/proto/DEBUG_README.html
index 2cb297249..180849597 100644
--- a/postfix/proto/DEBUG_README.html
+++ b/postfix/proto/DEBUG_README.html
@@ -113,7 +113,7 @@ configuration errors that could become a problem later. </p>
 
 <h2><a name="trace_mail">Debugging Postfix from inside</a> </h2>
 
-<p> With Postfix version 2.1 and later you can ask Postfix to
+<p> Postfix version 2.1 and later can
 produce mail delivery reports for debugging purposes. These reports
 not only show sender/recipient addresses after address rewriting
 and alias expansion or forwarding, they also show information about
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index a49411f2b..62cb2496a 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20080216"
+#define MAIL_RELEASE_DATE	"20080220"
 #define MAIL_VERSION_NUMBER	"2.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/master/Makefile.in b/postfix/src/master/Makefile.in
index 15a547777..6ab775d47 100644
--- a/postfix/src/master/Makefile.in
+++ b/postfix/src/master/Makefile.in
@@ -105,6 +105,7 @@ master.o: ../../include/myflock.h
 master.o: ../../include/mymalloc.h
 master.o: ../../include/open_lock.h
 master.o: ../../include/safe.h
+master.o: ../../include/set_eugid.h
 master.o: ../../include/stringops.h
 master.o: ../../include/sys_defs.h
 master.o: ../../include/vbuf.h
diff --git a/postfix/src/master/master.c b/postfix/src/master/master.c
index ed9f94277..4452fbdd6 100644
--- a/postfix/src/master/master.c
+++ b/postfix/src/master/master.c
@@ -130,9 +130,17 @@
 /*	The mail system name that is prepended to the process name in syslog
 /*	records, so that "smtpd" becomes, for example, "postfix/smtpd".
 /* FILES
-/*	/etc/postfix/main.cf, global configuration file.
-/*	/etc/postfix/master.cf, master server configuration file.
-/*	/var/spool/postfix/pid/master.pid, master lock file.
+/* .ad
+/* .fi
+/*	To expand the directory names below into their actual values,
+/*	use the command "\fBpostconf config_directory\fR" etc.
+/* .na
+/* .nf
+/*
+/*	$config_directory/main.cf, global configuration file.
+/*	$config_directory/master.cf, master server configuration file.
+/*	$queue_directory/pid/master.pid, master lock file.
+/*	$data_directory/master.lock, master lock file.
 /* SEE ALSO
 /*	qmgr(8), queue manager
 /*	verify(8), address verification
@@ -177,6 +185,7 @@
 #include <clean_env.h>
 #include <argv.h>
 #include <safe.h>
+#include <set_eugid.h>
 
 /* Global library. */
 
@@ -216,7 +225,9 @@ MAIL_VERSION_STAMP_DECLARE;
 int     main(int argc, char **argv)
 {
     static VSTREAM *lock_fp;
+    static VSTREAM *data_lock_fp;
     VSTRING *lock_path;
+    VSTRING *data_lock_path;
     off_t   inherited_limit;
     int     debug_me = 0;
     int     ch;
@@ -390,6 +401,7 @@ int     main(int argc, char **argv)
      * isn't locked.
      */
     lock_path = vstring_alloc(10);
+    data_lock_path = vstring_alloc(10);
     why = vstring_alloc(10);
 
     vstring_sprintf(lock_path, "%s/%s.pid", DEF_PID_DIR, var_procname);
@@ -407,8 +419,29 @@ int     main(int argc, char **argv)
 	msg_fatal("cannot update lock file %s: %m", vstring_str(lock_path));
     close_on_exec(vstream_fileno(lock_fp), CLOSE_ON_EXEC);
 
+    /*
+     * Lock down the Postfix-writable data directory.
+     */
+    vstring_sprintf(data_lock_path, "%s/%s.lock", var_data_dir, var_procname);
+    SAVE_AND_SET_EUGID(var_owner_uid, var_owner_gid);
+    data_lock_fp =
+	open_lock(vstring_str(data_lock_path), O_RDWR | O_CREAT, 0644, why);
+    RESTORE_SAVED_EUGID();
+    if (data_lock_fp == 0)
+	msg_fatal("open lock file %s: %s",
+		  vstring_str(data_lock_path), vstring_str(why));
+    vstream_fprintf(data_lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
+		    (unsigned long) var_pid);
+    if (vstream_fflush(data_lock_fp))
+	msg_fatal("cannot update lock file %s: %m", vstring_str(data_lock_path));
+    close_on_exec(vstream_fileno(data_lock_fp), CLOSE_ON_EXEC);
+
+    /*
+     * Clean up.
+     */
     vstring_free(why);
     vstring_free(lock_path);
+    vstring_free(data_lock_path);
 
     /*
      * Optionally start the debugger on ourself.
@@ -440,6 +473,9 @@ int     main(int argc, char **argv)
 	if (myflock(vstream_fileno(lock_fp), INTERNAL_LOCK,
 		    MYFLOCK_OP_EXCLUSIVE) < 0)
 	    msg_fatal("refresh exclusive lock: %m");
+	if (myflock(vstream_fileno(data_lock_fp), INTERNAL_LOCK,
+		    MYFLOCK_OP_EXCLUSIVE) < 0)
+	    msg_fatal("refresh exclusive lock: %m");
 #endif
 	watchdog_start(watchdog);		/* same as trigger servers */
 	event_loop(-1);