Site Navigation

Date:      Sat, 21 Apr 2007 00:46:59 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        Jeffrey Goldberg <jeffrey@goldmark.org>
Cc:        ports@freebsd.org, Jean Milanez Melo <jmelo@freebsdbrasil.com.br>
Subject:   Re: Mailman GID problem
Message-ID:  <05E49D98F442250F5D84D64D@paul-schmehls-powerbook59.local>
In-Reply-To: <2D8F0EEC-CA1A-403E-8799-8E6D27C11475@goldmark.org>
References:  <200704200842.48793.david@vizion2000.net> <CA436D2A-08D1-4CC9-B300-7FF4E7F929F0@goldmark.org> <94592079D5FE1208BC6F7D03@utd59514.utdallas.edu> <F7A906EA-FA63-42C2-8E42-20F0B575A810@goldmark.org> <DB6C056281A25168ECD2A048@utd59514.utdallas.edu> <A6A80B58-976B-4C70-BD05-712EBA601B00@goldmark.org> <241A5B7DB4C2BB1A9FE54C99@paul-schmehls-powerbook59.local> <2D8F0EEC-CA1A-403E-8799-8E6D27C11475@goldmark.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--==========D70B323F1390E28B57E7==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On April 20, 2007 11:59:46 PM -0500 Jeffrey Goldberg=20
<jeffrey@goldmark.org> wrote:
>
> I am fairly confident that if that is working for you, than you are not
> running with /usr/local/mailman/mail/mailman that was compiled with the
> current port with the postfix option set.  The binary mailman has a gid
> compiled into it.  Given the current port WITH_POSTFIX.
>
bash-2.05b# uname -a
FreeBSD mail.stovebolt.com 5.4-SECURITY FreeBSD 5.4-SECURITY #0: Tue Apr=20
18 06:15:11 UTC 2006
bash-2.05b# pkg_info mailman*
Information for mailman-2.1.9_1:

bash-2.05b# less /usr/ports/mail/mailman/distinfo
MD5 (mailman/mailman-2.1.9.tgz) =3D dd51472470f9eafb04f64da372444835
SHA256 (mailman/mailman-2.1.9.tgz) =3D=20
1b7a2c853c21bfd22205167dc3678c634a3f981721d95d1cd923ca84967cc986
SIZE (mailman/mailman-2.1.9.tgz) =3D 7829201

Looks like I'm current.  I build everything from ports.  I've never=20
installed a package.  Ever.

> Installing the current port WITH_POSTFIX will produce a mailman binary
> which will only allow itself to be run by "nobody".  Yours must have
> "mailman" compiled in where "nobody" is in what I (and David) get.
>
> [jeffrey@dobby /usr/local/mailman/mail]$ strings mailman | tail
> leave
> post
> owner
> request
> unsubscribe
> Mailman mail-wrapper
> nobody
> Illegal command: %s
> Usage: %s program [args...]
> $FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.6 2005/05/19 07:31:06 dfr Exp =
$
>
bash-2.05b# strings /usr/local/mailman/mail/mailman | tail
join
leave
post
owner
request
unsubscribe
Mailman mail-wrapper
Illegal command: %s
Usage: %s program [args...]
$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp =

$
>
> What is your result on your system?  If you get "mailman" where I have
> "nobody" then one of my earlier suggestions (change MAIL_GID for the
> postfix setting from "nobody" to "mailman" in the port Makefile) may be
> the right thing.  That is what is most consistent with the mailman
> install instructions.
>
bash-2.05b# strings /usr/local/mailman/mail/mailman | grep nobody
bash-2.05b# strings /usr/local/mailman/mail/mailman | grep mailman
/usr/local/mailman
/usr/local/mailman/scripts/

>  From /usr/local/share/doc/mailman/mailman-install.txt
>
>   In section  6.1.1 Integrating Postfix and Mailman
>
>
>     * When you configure Mailman, use the --with-mail-gid=3Dmailman
>       switch;
>
> However, the current ports Makefile compiles mailman
> --with-mail-gid=3Dnobody
>
I don't build mailman that way.  I use pkgtools.conf.

bash-2.05b# grep -C2 mailman /usr/local/etc/pkgtools.conf

  MAKE_ARGS =3D {
        # Preset mailman so it will compile with the right group
        'mail/mailman' =3D> 'MAIL_GID=3Dmailman'
  }

> The same section also says
>
>         Make sure that the owner of the data/aliases and data/aliases.db
>         file is mailman, that the group owner for those files is =
mailman,
>         or whatever user and group you used in the configure command, =
and
>         that both files are group writable:
>         % su
>         % chown mailman:mailman data/aliases*
>         % chmod g+w data/aliases*
>
Clearly that last part is wrong.
bash-2.05b# ls -lsa /usr/local/mailman/data/aliases*
 6 -rw-r--r--  1 root     mailman   4383 Oct 14  2005=20
/usr/local/mailman/data/aliases
 4 -rw-r-----  1 mailman  mailman   3984 Sep  8  2005=20
/usr/local/mailman/data/aliases.bak
48 -rw-r-----  1 mailman  mailman  49152 May  5  2006=20
/usr/local/mailman/data/aliases.db

I can't imagine why both files need to be group writeable.  The only time=20
the file is written to (AFAIK) is when you add a mailing list, and mailman =

owns the file and has write access.  The only time the db is written to is =

when you run postalias, and you should always run that as root, either=20
directly or through sudo.
>
> However it is the owner of the file containing the pipe alias that
> matters to postfix local deliveries.  See local(8).
>
Why?  Postfix only needs read access to know what aliases it needs to=20
deliver to.  I don't see anything in local(8) that says postfix requires=20
ownership of the alias file or the aliases db.

>> There's nothing at all wrong with the check_perms script.
>
> I am coming to that conclusion.  I now think that my second suggestion
> of changing the ports Makefile to set MAIL_GID to mailman instead of
> nobody when configuring for postfix is the correct direction to go.
>
Isn't that what the --with-mail-gid=3D is supposed to do?
>
> But I don't believe that that set-up will work with the configure
> options that get passed for compiling mailman with the current port.
>
> PORTNAME=3D       mailman
> DISTVERSION=3D    2.1.9
> PORTREVISION=3D   1
> CATEGORIES?=3D    mail
>

OK.

> Thus, with a bit more confidence that before I present the same Makefile
> diff I recommend:
>
> --- Makefile.orig       Fri Apr 20 14:17:08 2007
> +++ Makefile    Fri Apr 20 23:57:22 2007
> @@ -7,7 +7,7 @@
> PORTNAME=3D      mailman
> DISTVERSION=3D   2.1.9
> -PORTREVISION=3D  1
> +PORTREVISION=3D  2
> CATEGORIES?=3D   mail
> MASTER_SITES=3D  ${MASTER_SITE_SOURCEFORGE} \
>                  http://www.list.org/
> @@ -88,7 +88,7 @@
> .if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined(WITH_EXIM4)
> BROKEN=3D        choose only one MTA integration
> .endif
> -MAIL_GID?=3D     nobody
> +MAIL_GID?=3D     mailman
> .endif
> .if defined(WITH_CHINESE)
>
Now that I've looked at the Makefile, you are correct.  For Postfix it=20
selects nobody which is incorrect.  It should be selecting mailman.=20
However, if you build the port like this: make -DWITH-MAIL-GID=3Dmailman =
(or=20
use pkgtools.conf as I do), you override the options and the port compiles =

correctly.

Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========D70B323F1390E28B57E7==========--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05E49D98F442250F5D84D64D>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact