From: Wietse Venema Date: Sun, 19 Apr 2009 05:00:00 +0000 (-0500) Subject: postfix-2.7-20090419 X-Git-Tag: v2.7.0-RC1~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb8f952a0ec799f752c17e7d8b0888ac62d9d361;p=thirdparty%2Fpostfix.git postfix-2.7-20090419 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 58f8574a1..3e37c9612 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15133,3 +15133,14 @@ Apologies for any names omitted. xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c. More postlink fixes. File: mantools/postlink. + +20090419 + + Bugfix: don't re-enable SIGHUP if it is ignored in the + parent. This may cause random "Postfix integrity check + failed" errors at boot time (POSIX SIGHUP death), causing + Postfix not to start. We duplicate code from postdrop and + thus avoid past mistakes. File: postsuper/postsuper.c. + + Robustness: don't re-enable SIGTERM if it is ignored in the + parent. Files: postsuper/postsuper.c, postdrop/postdrop.c. diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html index 5589058d0..4ce64ec8b 100644 --- a/postfix/html/pipe.8.html +++ b/postfix/html/pipe.8.html @@ -183,13 +183,13 @@ PIPE(8) PIPE(8) by naive software. For example, when the pipe(8) daemon executes a command such as: - command -f$sender -- $recipient (bad) + Wrong: command -f$sender -- $recipient the command will mis-parse the -f option value when the sender address is a null string. For correct parsing, specify $sender as an argument by itself: - command -f $sender -- $recipient (good) + Right: command -f $sender -- $recipient This feature is available as of Postfix 2.3. diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8 index 527bd404c..474899745 100644 --- a/postfix/man/man8/pipe.8 +++ b/postfix/man/man8/pipe.8 @@ -170,7 +170,7 @@ naive software. For example, when the \fBpipe\fR(8) daemon executes a command such as: .sp .nf - command -f$sender -- $recipient (\fIbad\fR) + \fIWrong\fR: command -f$sender -- $recipient .fi .IP the command will mis-parse the -f option value when the @@ -178,7 +178,7 @@ sender address is a null string. For correct parsing, specify \fB$sender\fR as an argument by itself: .sp .nf - command -f $sender -- $recipient (\fIgood\fR) + \fIRight\fR: command -f $sender -- $recipient .fi .IP This feature is available as of Postfix 2.3. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 2cca4f695..7a9b37f19 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20090418" +#define MAIL_RELEASE_DATE "20090419" #define MAIL_VERSION_NUMBER "2.7" #ifdef SNAPSHOT diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c index a17ba7f63..e9def71da 100644 --- a/postfix/src/pipe/pipe.c +++ b/postfix/src/pipe/pipe.c @@ -160,7 +160,7 @@ /* executes a command such as: /* .sp /* .nf -/* command -f$sender -- $recipient (\fIbad\fR) +/* \fIWrong\fR: command -f$sender -- $recipient /* .fi /* .IP /* the command will mis-parse the -f option value when the @@ -168,7 +168,7 @@ /* specify \fB$sender\fR as an argument by itself: /* .sp /* .nf -/* command -f $sender -- $recipient (\fIgood\fR) +/* \fIRight\fR: command -f $sender -- $recipient /* .fi /* .IP /* This feature is available as of Postfix 2.3. diff --git a/postfix/src/postdrop/postdrop.c b/postfix/src/postdrop/postdrop.c index 8a3c7c2a0..a2fdc7355 100644 --- a/postfix/src/postdrop/postdrop.c +++ b/postfix/src/postdrop/postdrop.c @@ -340,7 +340,8 @@ int main(int argc, char **argv) signal(SIGINT, postdrop_sig); signal(SIGQUIT, postdrop_sig); - signal(SIGTERM, postdrop_sig); + if (signal(SIGTERM, SIG_IGN) == SIG_DFL) + signal(SIGTERM, postdrop_sig); if (signal(SIGHUP, SIG_IGN) == SIG_DFL) signal(SIGHUP, postdrop_sig); msg_cleanup(postdrop_cleanup); diff --git a/postfix/src/postsuper/postsuper.c b/postfix/src/postsuper/postsuper.c index 088df7652..7b6ea74f5 100644 --- a/postfix/src/postsuper/postsuper.c +++ b/postfix/src/postsuper/postsuper.c @@ -974,11 +974,17 @@ static void interrupted(int sig) /* * This commands requires root privileges. We therefore do not worry * about hostile signals, and report problems via msg_warn(). + * + * We use the in-kernel SIGINT handler address as an atomic variable to + * prevent nested interrupted() calls. For this reason, main() must + * configure interrupted() as SIGINT handler before other signal handlers + * are allowed to invoke interrupted(). See also similar code in + * postdrop. */ - if (signal(SIGHUP, SIG_IGN) != SIG_IGN) { - (void) signal(SIGINT, SIG_IGN); + if (signal(SIGINT, SIG_IGN) != SIG_IGN) { (void) signal(SIGQUIT, SIG_IGN); (void) signal(SIGTERM, SIG_IGN); + (void) signal(SIGHUP, SIG_IGN); if (inode_mismatch > 0 || inode_fixed > 0 || position_mismatch > 0) msg_warn("OPERATION INCOMPLETE -- RERUN COMMAND TO FIX THE QUEUE FIRST"); if (sig) @@ -1175,11 +1181,20 @@ int main(int argc, char **argv) * * Set up signal handlers after permanently dropping super-user privileges, * so that signal handlers will always run with the correct privileges. + * + * XXX Don't enable SIGHUP or SIGTERM if it was ignored by the parent. + * + * interrupted() uses the in-kernel SIGINT handler address as an atomic + * variable to prevent nested interrupted() calls. For this reason, the + * SIGINT handler must be configured before other signal handlers are + * allowed to invoke interrupted(). See also similar code in postdrop. */ - signal(SIGHUP, interrupted); signal(SIGINT, interrupted); signal(SIGQUIT, interrupted); - signal(SIGTERM, interrupted); + if (signal(SIGTERM, SIG_IGN) == SIG_DFL) + signal(SIGTERM, interrupted); + if (signal(SIGHUP, SIG_IGN) == SIG_DFL) + signal(SIGHUP, interrupted); msg_cleanup(fatal_warning); /*