Re: Mailman GID problem

Fri, 20 Apr 2007 22:01:59 -0700 

On Apr 20, 2007, at 9:26 PM, Paul Schmehl wrote:
--On April 20, 2007 7:54:45 PM -0500 Jeffrey Goldberg <[EMAIL PROTECTED]> wrote: 


So the first fix (modifying the owner of data/aliases{,.db}) is the
right way to go, but instead of making those files owned by "nobody"
(which does seem dangerous because than anything running as "nobody"
could change those file) they should be owned by root with mailman as
the group and permissions like 664.


Nobody is an unprivileged user.



Thank you.  I forgot about that.  I was treating "nobody" like "www"  
or "mail".  It entirely slipped my mind that "nobody" really is  
different.



it would break to ownership of the aliases file so that we would have
the mismatch between what the uid postfix gives the the wrapper
("mailman") and what the wrapper demands ("nobody").


Nope.  I've been running mailman for years now, and it works  
perfectly fine.  The owner of the data directory is mailman, and  
the group is mailman.

ls -lsa /usr/local/mailman/data/
total 132
2 drwxrwsr-x   2 mailman  mailman    512 Apr  7 19:47 .
2 drwxrwsr-x  20 mailman  mailman    512 Nov 28 17:48 ..
48 -rw-r--r--   1 mailman  mailman  65536 Sep  6  2005 .db
2 -rw-r-----   1 mailman  mailman     41 Sep  6  2005 adm.pw
6 -rw-r--r--   1 root     mailman   4383 Oct 14  2005 aliases
4 -rw-r-----   1 mailman  mailman   3984 Sep  8  2005 aliases.bak
48 -rw-r-----   1 mailman  mailman  49152 May  5  2006 aliases.db

0 -rw-rw-rw-   1 mailman  mailman      0 Sep  9  2005 bounce- 
events-00446.pck
0 -rw-rw-rw-   1 mailman  mailman      0 Sep  9  2005 bounce- 
events-00449.pck
0 -rw-rw-rw-   1 mailman  mailman      0 Sep  9  2005 bounce- 
events-00467.pck
0 -rw-rw-rw-   1 mailman  mailman      0 Jan 27  2006 bounce- 
events-00567.pck
0 -rw-rw-rw-   1 mailman  mailman      0 Oct 13  2005 bounce- 
events-38840.pck

2 -rw-r-----   1 mailman  mailman     41 Sep  6  2005 creator.pw

2 -rw-r--r--   1 root     mailman     10 Nov 28 17:48  
last_mailman_version
2 -rw-rw----   1 mailman  mailman      4 Apr  1 08:31 master- 
qrunner.pid

14 -rw-r--r--   1 root     mailman  14114 Nov 28 17:48 sitelist.cfg



I am fairly confident that if that is working for you, than you are  
not running with /usr/local/mailman/mail/mailman that was compiled  
with the current port with the postfix option set.  The binary  
mailman has a gid compiled into it.  Given the current port  
WITH_POSTFIX.



Installing the current port WITH_POSTFIX will produce a mailman  
binary which will only allow itself to be run by "nobody".  Yours  
must have "mailman" compiled in where "nobody" is in what I (and  
David) get.


[EMAIL PROTECTED] /usr/local/mailman/mail]$ strings mailman | tail
leave
post
owner
request
unsubscribe
Mailman mail-wrapper
nobody
Illegal command: %s
Usage: %s program [args...]

$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.6 2005/05/19 07:31:06 dfr  
Exp $




What is your result on your system?  If you get "mailman" where I  
have "nobody" then one of my earlier suggestions (change MAIL_GID for  
the postfix setting from "nobody" to "mailman" in the port Makefile)  
may be the right thing.  That is what is most consistent with the  
mailman install instructions.


From /usr/local/share/doc/mailman/mailman-install.txt

 In section  6.1.1 Integrating Postfix and Mailman


   * When you configure Mailman, use the --with-mail-gid=mailman
     switch;


However, the current ports Makefile compiles mailman --with-mail- 
gid=nobody


The same section also says

       Make sure that the owner of the data/aliases and data/aliases.db

       file is mailman, that the group owner for those files is  
mailman,
       or whatever user and group you used in the configure command,  
and

       that both files are group writable:
       % su
       % chown mailman:mailman data/aliases*
       % chmod g+w data/aliases*




It is the *group* that matters to postfix, *not* the owner.  Per  
the pkg-message file:
Mailman has been installed, but requires further configuration  
before use!



You will have to configure both your MTA (mail server) and web  
server to
integrate with Mailman.  If the port's documentation has been  
installed,

extensive post-installation instructions may be found in:

 %%DOCSDIR%%/FreeBSD-post-install-notes


Note (1):  If you use an alternate (non-Sendmail) MTA, you MUST be  
sure

that the correct value of MAIL_GID was used when this port or package
was built.  Performing a "make options" in the Mailman port directory
will list required values for various mail servers.


Note that MAIL_GID is what matters.  That is the *group* not the  
owner of the files.  Note also that the group only has read writes  
to the aliases file, although it does have read/write access to the  
bounce-events files.



However it is the owner of the file containing the pipe alias that  
matters to postfix local deliveries.  See local(8).




So maybe the problem is with check_perms and not with the port at all

(well the port would still need to get the aliases files owned by  
root).



There's nothing at all wrong with the check_perms script.



I am coming to that conclusion.  I now think that my second  
suggestion of changing the ports Makefile to set MAIL_GID to mailman  
instead of nobody when configuring for postfix is the correct  
direction to go.



mailman owns the aliases db for mailman:
ls -lsa /usr/local/mailman/data/aliases*

6 -rw-r--r--  1 root     mailman   4383 Oct 14  2005 /usr/local/ 
mailman/data/aliases
4 -rw-r-----  1 mailman  mailman   3984 Sep  8  2005 /usr/local/ 
mailman/data/aliases.bak
48 -rw-r-----  1 mailman  mailman  49152 May  5  2006 /usr/local/ 
mailman/data/aliases.db



And this is a working setup of mailman and postfix that's been  
running for years.



But I don't believe that that set-up will work with the configure  
options that get passed for compiling mailman with the current port.


PORTNAME=       mailman
DISTVERSION=    2.1.9
PORTREVISION=   1
CATEGORIES?=    mail


Thus, with a bit more confidence that before I present the same  
Makefile diff I recommend:


--- Makefile.orig       Fri Apr 20 14:17:08 2007
+++ Makefile    Fri Apr 20 23:57:22 2007
@@ -7,7 +7,7 @@
PORTNAME=      mailman
DISTVERSION=   2.1.9
-PORTREVISION=  1
+PORTREVISION=  2
CATEGORIES?=   mail
MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE} \
                http://www.list.org/
@@ -88,7 +88,7 @@
.if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined(WITH_EXIM4)
BROKEN=        choose only one MTA integration
.endif
-MAIL_GID?=     nobody
+MAIL_GID?=     mailman
.endif
.if defined(WITH_CHINESE)

Cheers,

-j

--
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to