From owner-freebsd-ports@FreeBSD.ORG  Mon Apr 23 13:04:14 2007
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: ports@freebsd.org
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3B6EB16A401
	for <ports@freebsd.org>; Mon, 23 Apr 2007 13:04:14 +0000 (UTC)
	(envelope-from jmelo@freebsdbrasil.com.br)
Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br
	[200.210.70.30])
	by mx1.freebsd.org (Postfix) with SMTP id DEBCE13C457
	for <ports@freebsd.org>; Mon, 23 Apr 2007 13:04:12 +0000 (UTC)
	(envelope-from jmelo@freebsdbrasil.com.br)
Received: (qmail 39732 invoked by uid 0); 23 Apr 2007 10:10:56 -0300
Received: from jmelo@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by
	uid 82 with qmail-scanner-1.22 
	(spamassassin: 2.64.  Clear:RC:1(201.58.85.51):. 
	Processed in 1.226831 secs); 23 Apr 2007 13:10:56 -0000
Received: from unknown (HELO ?10.69.69.66?) (jmelo@201.58.85.51)
	by capeta.freebsdbrasil.com.br with SMTP; 23 Apr 2007 10:10:54 -0300
Message-ID: <462CAEC0.2020005@freebsdbrasil.com.br>
Date: Mon, 23 Apr 2007 10:04:00 -0300
From: Jean Milanez Melo <jmelo@freebsdbrasil.com.br>
User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221)
MIME-Version: 1.0
To: Jeffrey Goldberg <jeffrey@goldmark.org>
References: <200704200842.48793.david@vizion2000.net>
	<CA436D2A-08D1-4CC9-B300-7FF4E7F929F0@goldmark.org>
	<94592079D5FE1208BC6F7D03@utd59514.utdallas.edu>
	<F7A906EA-FA63-42C2-8E42-20F0B575A810@goldmark.org>
	<DB6C056281A25168ECD2A048@utd59514.utdallas.edu>
	<A6A80B58-976B-4C70-BD05-712EBA601B00@goldmark.org>
	<241A5B7DB4C2BB1A9FE54C99@paul-schmehls-powerbook59.local>
	<2D8F0EEC-CA1A-403E-8799-8E6D27C11475@goldmark.org>
In-Reply-To: <2D8F0EEC-CA1A-403E-8799-8E6D27C11475@goldmark.org>
X-Enigmail-Version: 0.94.3.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: ports@freebsd.org, Paul Schmehl <pauls@utdallas.edu>,
	List_Mailman Org <mailman-users@python.org>
Subject: Re: Mailman GID problem
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2007 13:04:14 -0000

Jeffrey Goldberg wrote:
> On Apr 20, 2007, at 9:26 PM, Paul Schmehl wrote:
> 
>> --On April 20, 2007 7:54:45 PM -0500 Jeffrey Goldberg
>> <jeffrey@goldmark.org> wrote:
> 
>>> So the first fix (modifying the owner of data/aliases{,.db}) is the
>>> right way to go, but instead of making those files owned by "nobody"
>>> (which does seem dangerous because than anything running as "nobody"
>>> could change those file) they should be owned by root with mailman as
>>> the group and permissions like 664.
>>>
>> Nobody is an unprivileged user.
> 
> Thank you.  I forgot about that.  I was treating "nobody" like "www" or
> "mail".  It entirely slipped my mind that "nobody" really is different.
> 
>>> it would break to ownership of the aliases file so that we would have
>>> the mismatch between what the uid postfix gives the the wrapper
>>> ("mailman") and what the wrapper demands ("nobody").
>>>
>> Nope.  I've been running mailman for years now, and it works perfectly
>> fine.  The owner of the data directory is mailman, and the group is
>> mailman.
>> ls -lsa /usr/local/mailman/data/
>> total 132
>> 2 drwxrwsr-x   2 mailman  mailman    512 Apr  7 19:47 .
>> 2 drwxrwsr-x  20 mailman  mailman    512 Nov 28 17:48 ..
>> 48 -rw-r--r--   1 mailman  mailman  65536 Sep  6  2005 .db
>> 2 -rw-r-----   1 mailman  mailman     41 Sep  6  2005 adm.pw
>> 6 -rw-r--r--   1 root     mailman   4383 Oct 14  2005 aliases
>> 4 -rw-r-----   1 mailman  mailman   3984 Sep  8  2005 aliases.bak
>> 48 -rw-r-----   1 mailman  mailman  49152 May  5  2006 aliases.db
>> 0 -rw-rw-rw-   1 mailman  mailman      0 Sep  9  2005
>> bounce-events-00446.pck
>> 0 -rw-rw-rw-   1 mailman  mailman      0 Sep  9  2005
>> bounce-events-00449.pck
>> 0 -rw-rw-rw-   1 mailman  mailman      0 Sep  9  2005
>> bounce-events-00467.pck
>> 0 -rw-rw-rw-   1 mailman  mailman      0 Jan 27  2006
>> bounce-events-00567.pck
>> 0 -rw-rw-rw-   1 mailman  mailman      0 Oct 13  2005
>> bounce-events-38840.pck
>> 2 -rw-r-----   1 mailman  mailman     41 Sep  6  2005 creator.pw
>> 2 -rw-r--r--   1 root     mailman     10 Nov 28 17:48
>> last_mailman_version
>> 2 -rw-rw----   1 mailman  mailman      4 Apr  1 08:31 master-qrunner.pid
>> 14 -rw-r--r--   1 root     mailman  14114 Nov 28 17:48 sitelist.cfg
> 
> I am fairly confident that if that is working for you, than you are not
> running with /usr/local/mailman/mail/mailman that was compiled with the
> current port with the postfix option set.  The binary mailman has a gid
> compiled into it.  Given the current port WITH_POSTFIX.
> 
> Installing the current port WITH_POSTFIX will produce a mailman binary
> which will only allow itself to be run by "nobody".  Yours must have
> "mailman" compiled in where "nobody" is in what I (and David) get.
> 
> [jeffrey@dobby /usr/local/mailman/mail]$ strings mailman | tail
> leave
> post
> owner
> request
> unsubscribe
> Mailman mail-wrapper
> nobody
> Illegal command: %s
> Usage: %s program [args...]
> $FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.6 2005/05/19 07:31:06 dfr Exp $
> 
> 
> What is your result on your system?  If you get "mailman" where I have
> "nobody" then one of my earlier suggestions (change MAIL_GID for the
> postfix setting from "nobody" to "mailman" in the port Makefile) may be
> the right thing.  That is what is most consistent with the mailman
> install instructions.
> 
> From /usr/local/share/doc/mailman/mailman-install.txt
> 
>  In section  6.1.1 Integrating Postfix and Mailman
> 
> 
>    * When you configure Mailman, use the --with-mail-gid=mailman
>      switch;
> 
> However, the current ports Makefile compiles mailman --with-mail-gid=nobody
> 
> The same section also says
> 
>        Make sure that the owner of the data/aliases and data/aliases.db
>        file is mailman, that the group owner for those files is mailman,
>        or whatever user and group you used in the configure command, and
>        that both files are group writable:
>        % su
>        % chown mailman:mailman data/aliases*
>        % chmod g+w data/aliases*
> 
>>
>> It is the *group* that matters to postfix, *not* the owner.  Per the
>> pkg-message file:
>> Mailman has been installed, but requires further configuration before
>> use!
>>
>> You will have to configure both your MTA (mail server) and web server to
>> integrate with Mailman.  If the port's documentation has been installed,
>> extensive post-installation instructions may be found in:
>>
>>  %%DOCSDIR%%/FreeBSD-post-install-notes
>>
>> Note (1):  If you use an alternate (non-Sendmail) MTA, you MUST be sure
>> that the correct value of MAIL_GID was used when this port or package
>> was built.  Performing a "make options" in the Mailman port directory
>> will list required values for various mail servers.
>>
>> Note that MAIL_GID is what matters.  That is the *group* not the owner
>> of the files.  Note also that the group only has read writes to the
>> aliases file, although it does have read/write access to the
>> bounce-events files.
> 
> However it is the owner of the file containing the pipe alias that
> matters to postfix local deliveries.  See local(8).
> 
> 
>>> So maybe the problem is with check_perms and not with the port at all
>>> (well the port would still need to get the aliases files owned by root).
>>>
>> There's nothing at all wrong with the check_perms script.
> 
> I am coming to that conclusion.  I now think that my second suggestion
> of changing the ports Makefile to set MAIL_GID to mailman instead of
> nobody when configuring for postfix is the correct direction to go.
> 
>> mailman owns the aliases db for mailman:
>> ls -lsa /usr/local/mailman/data/aliases*
>> 6 -rw-r--r--  1 root     mailman   4383 Oct 14  2005
>> /usr/local/mailman/data/aliases
>> 4 -rw-r-----  1 mailman  mailman   3984 Sep  8  2005
>> /usr/local/mailman/data/aliases.bak
>> 48 -rw-r-----  1 mailman  mailman  49152 May  5  2006
>> /usr/local/mailman/data/aliases.db
>>
>> And this is a working setup of mailman and postfix that's been running
>> for years.
> 
> But I don't believe that that set-up will work with the configure
> options that get passed for compiling mailman with the current port.
> 
> PORTNAME=       mailman
> DISTVERSION=    2.1.9
> PORTREVISION=   1
> CATEGORIES?=    mail
> 
> Thus, with a bit more confidence that before I present the same Makefile
> diff I recommend:
> 
> --- Makefile.orig       Fri Apr 20 14:17:08 2007
> +++ Makefile    Fri Apr 20 23:57:22 2007
> @@ -7,7 +7,7 @@
> PORTNAME=      mailman
> DISTVERSION=   2.1.9
> -PORTREVISION=  1
> +PORTREVISION=  2
> CATEGORIES?=   mail
> MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE} \
>                 http://www.list.org/
> @@ -88,7 +88,7 @@
> .if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined(WITH_EXIM4)
> BROKEN=        choose only one MTA integration
> .endif
> -MAIL_GID?=     nobody
> +MAIL_GID?=     mailman
> .endif
> .if defined(WITH_CHINESE)
> 
> Cheers,
> 
> -j
> 
> --Jeffrey Goldberg                        http://www.goldmark.org/jeff/
> 

Dears,

I've just committed a patch with the correct MAIL_GID for postfix build
as Jeffrey sent.

If you have any other problems, please tell me.

Thank you for the report guys.

Cheers,

--
Jean