* [pmg-devel] [PATCH pmg-api 1/3] dbtools: grant permissions public schema for created databases
2023-06-23 12:20 [pmg-devel] [PATCH pmg-api/gui] perparations and breaking changes Dominik Csapak
@ 2023-06-23 12:21 ` Dominik Csapak
2023-06-26 8:47 ` Stoiko Ivanov
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 2/3] config: disable awl and bayes by default Dominik Csapak
` (3 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Dominik Csapak @ 2023-06-23 12:21 UTC (permalink / raw)
To: pmg-devel
since postgres 15, the public schema is not world writeable anymore for
security reasons. In our environment, where the db is not externaly
reachable and no database users should exists except the ones we create,
we can safely give the permissions again to be able to use
the root/www-data user without modification of the remaining
code/privileges for postgres.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PMG/DBTools.pm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/PMG/DBTools.pm b/src/PMG/DBTools.pm
index 0b37361..f8eb054 100644
--- a/src/PMG/DBTools.pm
+++ b/src/PMG/DBTools.pm
@@ -344,6 +344,14 @@ my $createdb = sub {
'--lc-ctype=C',
$dbname,
);
+
+ # allow root and www-data to access the public SCHEMA like pre prostgres15
+ # this is not a security issue, since the db is not externally reachable anyway and no
+ # other users should exist
+ my $cmd = "GRANT CREATE ON SCHEMA public To \"root\";"
+ ."GRANT USAGE ON SCHEMA public To \"root\";"
+ ."GRANT CREATE ON SCHEMA public To \"www-data\";"
+ ."GRANT USAGE ON SCHEMA public To \"www-data\";";
};
sub create_ruledb {
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [pmg-devel] [PATCH pmg-api 1/3] dbtools: grant permissions public schema for created databases
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 1/3] dbtools: grant permissions public schema for created databases Dominik Csapak
@ 2023-06-26 8:47 ` Stoiko Ivanov
0 siblings, 0 replies; 11+ messages in thread
From: Stoiko Ivanov @ 2023-06-26 8:47 UTC (permalink / raw)
To: Dominik Csapak; +Cc: pmg-devel
Thanks for the patch!
On Fri, 23 Jun 2023 14:21:00 +0200
Dominik Csapak <d.csapak@proxmox.com> wrote:
> since postgres 15, the public schema is not world writeable anymore for
> security reasons. In our environment, where the db is not externaly
> reachable and no database users should exists except the ones we create,
> we can safely give the permissions again to be able to use
> the root/www-data user without modification of the remaining
> code/privileges for postgres.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> src/PMG/DBTools.pm | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/PMG/DBTools.pm b/src/PMG/DBTools.pm
> index 0b37361..f8eb054 100644
> --- a/src/PMG/DBTools.pm
> +++ b/src/PMG/DBTools.pm
> @@ -344,6 +344,14 @@ my $createdb = sub {
> '--lc-ctype=C',
> $dbname,
> );
> +
> + # allow root and www-data to access the public SCHEMA like pre prostgres15
> + # this is not a security issue, since the db is not externally reachable anyway and no
> + # other users should exist
> + my $cmd = "GRANT CREATE ON SCHEMA public To \"root\";"
> + ."GRANT USAGE ON SCHEMA public To \"root\";"
> + ."GRANT CREATE ON SCHEMA public To \"www-data\";"
> + ."GRANT USAGE ON SCHEMA public To \"www-data\";";
> };
the command is placed in a variable, but never actually called?
looking through DBTools - it might be a better fit to declare
a sub create_user, and put the `createuser` invocation as well as the
GRANT sql commands there - but the separate sub is only a suggestion.
>
> sub create_ruledb {
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/3] config: disable awl and bayes by default
2023-06-23 12:20 [pmg-devel] [PATCH pmg-api/gui] perparations and breaking changes Dominik Csapak
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 1/3] dbtools: grant permissions public schema for created databases Dominik Csapak
@ 2023-06-23 12:21 ` Dominik Csapak
2023-06-26 13:21 ` [pmg-devel] applied: " Thomas Lamprecht
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 3/3] config: disable advanced statistic filters " Dominik Csapak
` (2 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Dominik Csapak @ 2023-06-23 12:21 UTC (permalink / raw)
To: pmg-devel
Since most often they don't help in a default setup without manually
training with many examples.
Note that this is a breaking change, and a config rewrite will
trigger a deletion of bayes and awl databases.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PMG/Config.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 20afd71..dc28c02 100755
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -177,12 +177,12 @@ sub properties {
use_bayes => {
description => "Whether to use the naive-Bayesian-style classifier.",
type => 'boolean',
- default => 1,
+ default => 0,
},
use_awl => {
description => "Use the Auto-Whitelist plugin.",
type => 'boolean',
- default => 1,
+ default => 0,
},
use_razor => {
description => "Whether to use Razor2, if it is available.",
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-api 3/3] config: disable advanced statistic filters by default
2023-06-23 12:20 [pmg-devel] [PATCH pmg-api/gui] perparations and breaking changes Dominik Csapak
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 1/3] dbtools: grant permissions public schema for created databases Dominik Csapak
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 2/3] config: disable awl and bayes by default Dominik Csapak
@ 2023-06-23 12:21 ` Dominik Csapak
2023-06-26 13:21 ` [pmg-devel] applied: " Thomas Lamprecht
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-gui 1/2] configuration: options: adapt to new advanced statistic filter default Dominik Csapak
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-gui 2/2] spam: options: adapt do new defaults for bayes/awl Dominik Csapak
4 siblings, 1 reply; 11+ messages in thread
From: Dominik Csapak @ 2023-06-23 12:21 UTC (permalink / raw)
To: pmg-devel
If the (documented) behaviour is not known, it is rather unexpected and
confusing. So disable by default.
Note that this is a breaking change, since enabling them is just a
config switch, it shouldn't be much of a problem.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PMG/Config.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index dc28c02..fe89e11 100755
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -72,7 +72,7 @@ If this is enabled, the receiver statistic are limited to active ones
statistic will not contain these active receivers.
EODESC
type => 'boolean',
- default => 1,
+ default => 0,
},
dailyreport => {
description => "Send daily reports.",
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-gui 1/2] configuration: options: adapt to new advanced statistic filter default
2023-06-23 12:20 [pmg-devel] [PATCH pmg-api/gui] perparations and breaking changes Dominik Csapak
` (2 preceding siblings ...)
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-api 3/3] config: disable advanced statistic filters " Dominik Csapak
@ 2023-06-23 12:21 ` Dominik Csapak
2023-06-26 13:27 ` [pmg-devel] applied: " Thomas Lamprecht
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-gui 2/2] spam: options: adapt do new defaults for bayes/awl Dominik Csapak
4 siblings, 1 reply; 11+ messages in thread
From: Dominik Csapak @ 2023-06-23 12:21 UTC (permalink / raw)
To: pmg-devel
default in the backend is now false
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
js/SystemOptions.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/js/SystemOptions.js b/js/SystemOptions.js
index 675dde4..7a22e1a 100644
--- a/js/SystemOptions.js
+++ b/js/SystemOptions.js
@@ -67,7 +67,7 @@ Ext.define('PMG.SystemOptions', {
{ defaultValue: 1 });
me.add_boolean_row('advfilter', gettext('Use advanced statistic filters'),
- { defaultValue: 1 });
+ { defaultValue: 0 });
me.add_integer_row('statlifetime', gettext('User statistic lifetime (days)'),
{ minValue: 1, defaultValue: 7, deleteEmpty: true });
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pmg-devel] [PATCH pmg-gui 2/2] spam: options: adapt do new defaults for bayes/awl
2023-06-23 12:20 [pmg-devel] [PATCH pmg-api/gui] perparations and breaking changes Dominik Csapak
` (3 preceding siblings ...)
2023-06-23 12:21 ` [pmg-devel] [PATCH pmg-gui 1/2] configuration: options: adapt to new advanced statistic filter default Dominik Csapak
@ 2023-06-23 12:21 ` Dominik Csapak
2023-06-26 13:27 ` [pmg-devel] applied: " Thomas Lamprecht
4 siblings, 1 reply; 11+ messages in thread
From: Dominik Csapak @ 2023-06-23 12:21 UTC (permalink / raw)
To: pmg-devel
both options default to false now in the backend
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
js/SpamDetectorOptions.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/js/SpamDetectorOptions.js b/js/SpamDetectorOptions.js
index 58eaee9..ccfff96 100644
--- a/js/SpamDetectorOptions.js
+++ b/js/SpamDetectorOptions.js
@@ -8,10 +8,10 @@ Ext.define('PMG.SpamDetectorOptions', {
var me = this;
me.add_boolean_row('use_awl', gettext('Use auto-whitelists'),
- { defaultValue: 1 });
+ { defaultValue: 0 });
me.add_boolean_row('use_bayes', gettext('Use Bayesian filter'),
- { defaultValue: 1 });
+ { defaultValue: 0 });
me.add_boolean_row('rbl_checks', gettext('Use RBL checks'),
{ defaultValue: 1 });
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread