Date: Mon, 23 Apr 2007 10:04:00 -0300 From: Jean Milanez Melo <jmelo@freebsdbrasil.com.br> To: Jeffrey Goldberg <jeffrey@goldmark.org> Cc: ports@freebsd.org, Paul Schmehl <pauls@utdallas.edu>, List_Mailman Org <mailman-users@python.org> Subject: Re: Mailman GID problem Message-ID: <462CAEC0.2020005@freebsdbrasil.com.br> In-Reply-To: <2D8F0EEC-CA1A-403E-8799-8E6D27C11475@goldmark.org> References: <200704200842.48793.david@vizion2000.net> <CA436D2A-08D1-4CC9-B300-7FF4E7F929F0@goldmark.org> <94592079D5FE1208BC6F7D03@utd59514.utdallas.edu> <F7A906EA-FA63-42C2-8E42-20F0B575A810@goldmark.org> <DB6C056281A25168ECD2A048@utd59514.utdallas.edu> <A6A80B58-976B-4C70-BD05-712EBA601B00@goldmark.org> <241A5B7DB4C2BB1A9FE54C99@paul-schmehls-powerbook59.local> <2D8F0EEC-CA1A-403E-8799-8E6D27C11475@goldmark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeffrey Goldberg wrote: > On Apr 20, 2007, at 9:26 PM, Paul Schmehl wrote: > >> --On April 20, 2007 7:54:45 PM -0500 Jeffrey Goldberg >> <jeffrey@goldmark.org> wrote: > >>> So the first fix (modifying the owner of data/aliases{,.db}) is the >>> right way to go, but instead of making those files owned by "nobody" >>> (which does seem dangerous because than anything running as "nobody" >>> could change those file) they should be owned by root with mailman as >>> the group and permissions like 664. >>> >> Nobody is an unprivileged user. > > Thank you. I forgot about that. I was treating "nobody" like "www" or > "mail". It entirely slipped my mind that "nobody" really is different. > >>> it would break to ownership of the aliases file so that we would have >>> the mismatch between what the uid postfix gives the the wrapper >>> ("mailman") and what the wrapper demands ("nobody"). >>> >> Nope. I've been running mailman for years now, and it works perfectly >> fine. The owner of the data directory is mailman, and the group is >> mailman. >> ls -lsa /usr/local/mailman/data/ >> total 132 >> 2 drwxrwsr-x 2 mailman mailman 512 Apr 7 19:47 . >> 2 drwxrwsr-x 20 mailman mailman 512 Nov 28 17:48 .. >> 48 -rw-r--r-- 1 mailman mailman 65536 Sep 6 2005 .db >> 2 -rw-r----- 1 mailman mailman 41 Sep 6 2005 adm.pw >> 6 -rw-r--r-- 1 root mailman 4383 Oct 14 2005 aliases >> 4 -rw-r----- 1 mailman mailman 3984 Sep 8 2005 aliases.bak >> 48 -rw-r----- 1 mailman mailman 49152 May 5 2006 aliases.db >> 0 -rw-rw-rw- 1 mailman mailman 0 Sep 9 2005 >> bounce-events-00446.pck >> 0 -rw-rw-rw- 1 mailman mailman 0 Sep 9 2005 >> bounce-events-00449.pck >> 0 -rw-rw-rw- 1 mailman mailman 0 Sep 9 2005 >> bounce-events-00467.pck >> 0 -rw-rw-rw- 1 mailman mailman 0 Jan 27 2006 >> bounce-events-00567.pck >> 0 -rw-rw-rw- 1 mailman mailman 0 Oct 13 2005 >> bounce-events-38840.pck >> 2 -rw-r----- 1 mailman mailman 41 Sep 6 2005 creator.pw >> 2 -rw-r--r-- 1 root mailman 10 Nov 28 17:48 >> last_mailman_version >> 2 -rw-rw---- 1 mailman mailman 4 Apr 1 08:31 master-qrunner.pid >> 14 -rw-r--r-- 1 root mailman 14114 Nov 28 17:48 sitelist.cfg > > I am fairly confident that if that is working for you, than you are not > running with /usr/local/mailman/mail/mailman that was compiled with the > current port with the postfix option set. The binary mailman has a gid > compiled into it. Given the current port WITH_POSTFIX. > > Installing the current port WITH_POSTFIX will produce a mailman binary > which will only allow itself to be run by "nobody". Yours must have > "mailman" compiled in where "nobody" is in what I (and David) get. > > [jeffrey@dobby /usr/local/mailman/mail]$ strings mailman | tail > leave > post > owner > request > unsubscribe > Mailman mail-wrapper > nobody > Illegal command: %s > Usage: %s program [args...] > $FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.6 2005/05/19 07:31:06 dfr Exp $ > > > What is your result on your system? If you get "mailman" where I have > "nobody" then one of my earlier suggestions (change MAIL_GID for the > postfix setting from "nobody" to "mailman" in the port Makefile) may be > the right thing. That is what is most consistent with the mailman > install instructions. > > From /usr/local/share/doc/mailman/mailman-install.txt > > In section 6.1.1 Integrating Postfix and Mailman > > > * When you configure Mailman, use the --with-mail-gid=mailman > switch; > > However, the current ports Makefile compiles mailman --with-mail-gid=nobody > > The same section also says > > Make sure that the owner of the data/aliases and data/aliases.db > file is mailman, that the group owner for those files is mailman, > or whatever user and group you used in the configure command, and > that both files are group writable: > % su > % chown mailman:mailman data/aliases* > % chmod g+w data/aliases* > >> >> It is the *group* that matters to postfix, *not* the owner. Per the >> pkg-message file: >> Mailman has been installed, but requires further configuration before >> use! >> >> You will have to configure both your MTA (mail server) and web server to >> integrate with Mailman. If the port's documentation has been installed, >> extensive post-installation instructions may be found in: >> >> %%DOCSDIR%%/FreeBSD-post-install-notes >> >> Note (1): If you use an alternate (non-Sendmail) MTA, you MUST be sure >> that the correct value of MAIL_GID was used when this port or package >> was built. Performing a "make options" in the Mailman port directory >> will list required values for various mail servers. >> >> Note that MAIL_GID is what matters. That is the *group* not the owner >> of the files. Note also that the group only has read writes to the >> aliases file, although it does have read/write access to the >> bounce-events files. > > However it is the owner of the file containing the pipe alias that > matters to postfix local deliveries. See local(8). > > >>> So maybe the problem is with check_perms and not with the port at all >>> (well the port would still need to get the aliases files owned by root). >>> >> There's nothing at all wrong with the check_perms script. > > I am coming to that conclusion. I now think that my second suggestion > of changing the ports Makefile to set MAIL_GID to mailman instead of > nobody when configuring for postfix is the correct direction to go. > >> mailman owns the aliases db for mailman: >> ls -lsa /usr/local/mailman/data/aliases* >> 6 -rw-r--r-- 1 root mailman 4383 Oct 14 2005 >> /usr/local/mailman/data/aliases >> 4 -rw-r----- 1 mailman mailman 3984 Sep 8 2005 >> /usr/local/mailman/data/aliases.bak >> 48 -rw-r----- 1 mailman mailman 49152 May 5 2006 >> /usr/local/mailman/data/aliases.db >> >> And this is a working setup of mailman and postfix that's been running >> for years. > > But I don't believe that that set-up will work with the configure > options that get passed for compiling mailman with the current port. > > PORTNAME= mailman > DISTVERSION= 2.1.9 > PORTREVISION= 1 > CATEGORIES?= mail > > Thus, with a bit more confidence that before I present the same Makefile > diff I recommend: > > --- Makefile.orig Fri Apr 20 14:17:08 2007 > +++ Makefile Fri Apr 20 23:57:22 2007 > @@ -7,7 +7,7 @@ > PORTNAME= mailman > DISTVERSION= 2.1.9 > -PORTREVISION= 1 > +PORTREVISION= 2 > CATEGORIES?= mail > MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} \ > http://www.list.org/ > @@ -88,7 +88,7 @@ > .if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined(WITH_EXIM4) > BROKEN= choose only one MTA integration > .endif > -MAIL_GID?= nobody > +MAIL_GID?= mailman > .endif > .if defined(WITH_CHINESE) > > Cheers, > > -j > > --Jeffrey Goldberg http://www.goldmark.org/jeff/ > Dears, I've just committed a patch with the correct MAIL_GID for postfix build as Jeffrey sent. If you have any other problems, please tell me. Thank you for the report guys. Cheers, -- Jean
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?462CAEC0.2020005>