Hi,
As I saw sthen's last commit message, it reminded me that I wanted to
look into the issue surrounding the 'wrong GID' problem, which is the
only reason we have a FLAVOR for every MTA. (as noted below, we probably
need more if we are to continue this path!)
Unfortunately, the way mailman does this is, let's say, suboptimal. Both
the mail and cgi wrappers check the real gid of the calling process, and
aborts if that gid is not the compiled in gid. This type of thing only
makes mild sense in the context of folks building their own mailman, and
certainly not for packagers.
While we have the mail configure argument in the FLAVORs below, the CGI
one is the default list (www www-data nobody) and of course is checked
against the build machine during the configure stage - we only get lucky
since we chose 'www' for our web server gid's, but try another web
server and one will have to fiddle around for little reason.
I believe the cgi/mail wrapper check could actually look at the defined
group membership instead. If one puts in --with-mail-gid or
--with-cgi-gid as '_mailman', then the wrapper would check if the
calling process is a member of that group, then proceed. This allows
a user to choose and switch mail servers and web servers without either
constantly changing FLAVOR's or custom building mailman. It is a
departure from upstream; however, if this approach seems sane and valid,
I can propose it - they've somewhat moved on from mailman 2.x to 3.x
where everything is lmtp based, but it's not feature complete, so no
attempt to upgrade to that quite yet.
Also, a few other unrelated changes below:
- update to 2.1.21
- configure patch hasn't been required since introducing
--without-permcheck in configure
- some of Defaults.py are now upstream defaults.
The below patch includes the above changes, as well as a rewrite of
check_caller() - probably easier to read after applying the patch. I
chose to use the _mailman group as the group to check - I didn't see a
real need to add another group.
Comments, sanity checks all welcome.
Thanks,
Okan
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/mailman/Makefile,v
retrieving revision 1.83
diff -u -p -r1.83 Makefile
--- Makefile 19 Mar 2016 10:31:44 -0000 1.83
+++ Makefile 23 Mar 2016 12:25:49 -0000
@@ -2,8 +2,7 @@
COMMENT= mailing list manager with web interface
-DISTNAME= mailman-2.1.20
-REVISION= 0
+DISTNAME= mailman-2.1.21
CATEGORIES= mail www
HOMEPAGE= https://www.gnu.org/software/mailman/
@@ -32,8 +31,6 @@ FAKE_FLAGS= DIRSETGID=":"
# gnu still breaks the paths as prefix is actually mailman's home
CONFIGURE_STYLE= simple
-# do not use --without-permcheck as this requires the mailman user and group
-# to exist, otherwise there will be problems running mailman
CONFIGURE_ARGS+= --prefix='${MMHOME}' \
--with-mailhost=localhost.my.domain \
--with-python=${MODPY_BIN} \
@@ -41,19 +38,9 @@ CONFIGURE_ARGS+= --prefix='${MMHOME}' \
--with-var-prefix='${MMSPOOL}' \
--without-permcheck \
--with-username=_mailman \
- --with-groupname=_mailman
-
-FLAVORS= smtpd postfix sendmail
-FLAVOR?= smtpd
-.if ${FLAVOR:Mpostfix}
-CONFIGURE_ARGS+=--with-mail-gid=_mailman
-.elif ${FLAVOR:Msendmail}
-CONFIGURE_ARGS+=--with-mail-gid=daemon
-.elif ${FLAVOR:Msmtpd}
-CONFIGURE_ARGS+=--with-mail-gid=_smtpd
-.else
-ERRORS+="Fatal: a flavor (smtpd, postfix, sendmail) must be specified"
-.endif
+ --with-groupname=_mailman \
+ --with-cgi-gid=_mailman \
+ --with-mail-gid=_mailman
SCRIPTS= Mailman/Archiver/pipermail.py \
Mailman/Post.py \
Index: distinfo
===================================================================
RCS file: /cvs/ports/mail/mailman/distinfo,v
retrieving revision 1.23
diff -u -p -r1.23 distinfo
--- distinfo 9 Apr 2015 15:37:08 -0000 1.23
+++ distinfo 23 Mar 2016 12:25:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (mailman-2.1.20.tgz) = UiwrXFq5E5j9+UmolhFiwxT2MjzRv+uQfg+y2IJ3cR8=
-SIZE (mailman-2.1.20.tgz) = 9204867
+SHA256 (mailman-2.1.21.tgz) = /tM6GBVN6qToGiB5jIFEhe1LLl2LQs9tPVWGf/T3CEM=
+SIZE (mailman-2.1.21.tgz) = 9266286
Index: patches/patch-Mailman_Defaults_py_in
===================================================================
RCS file: /cvs/ports/mail/mailman/patches/patch-Mailman_Defaults_py_in,v
retrieving revision 1.13
diff -u -p -r1.13 patch-Mailman_Defaults_py_in
--- patches/patch-Mailman_Defaults_py_in 9 Apr 2015 15:37:08 -0000
1.13
+++ patches/patch-Mailman_Defaults_py_in 23 Mar 2016 12:25:49 -0000
@@ -1,27 +1,12 @@
$OpenBSD: patch-Mailman_Defaults_py_in,v 1.13 2015/04/09 15:37:08 okan Exp $
---- Mailman/Defaults.py.in.orig Sat Feb 28 11:41:04 2015
-+++ Mailman/Defaults.py.in Sun Mar 22 11:55:07 2015
-@@ -539,7 +539,22 @@ SMTPPORT = 0 # de
+--- Mailman/Defaults.py.in.orig Sun Feb 28 15:47:44 2016
++++ Mailman/Defaults.py.in Sun Mar 20 11:21:13 2016
+@@ -554,7 +554,7 @@ SMTPPORT = 0 # de
# Command for direct command pipe delivery to sendmail compatible program,
# when DELIVERY_MODULE is 'Sendmail'.
-SENDMAIL_CMD = '/usr/lib/sendmail'
+SENDMAIL_CMD = '/usr/sbin/sendmail'
-+
-+# Specify the type of passwords to use, when Mailman generates the passwords
-+# itself, as would be the case for membership requests where the user did not
-+# fill in a password, or during list creation, when auto-generation of admin
-+# passwords was selected.
-+#
-+# Set this value to Yes for classic Mailman user-friendly(er) passwords.
-+# These generate semi-pronounceable passwords which are easier to remember.
-+# Set this value to No to use more cryptographically secure, but harder to
-+# remember, passwords -- if your operating system and Python version support
-+# the necessary feature (specifically that /dev/urandom be available).
-+USER_FRIENDLY_PASSWORDS = Yes
-+
-+# This value specifies the default lengths of member passwords
-+MEMBER_PASSWORD_LENGTH = 8
# Set these variables if you need to authenticate to your NNTP server for
# Usenet posting or reading. If no authentication is necessary, specify None
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- patches/patch-configure 9 Apr 2015 15:37:08 -0000 1.11
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,115 +0,0 @@
-$OpenBSD: patch-configure,v 1.11 2015/04/09 15:37:08 okan Exp $
---- configure.orig Tue May 6 12:43:56 2014
-+++ configure Sun Jan 11 10:37:11 2015
-@@ -3543,54 +3543,8 @@ USERNAME=$with_username
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USERNAME" >&5
- $as_echo "$USERNAME" >&6; }
-
--# User `mailman' must exist
-+MAILMAN_USER=$with_username
-
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for user name
\"$USERNAME\"" >&5
--$as_echo_n "checking for user name \"$USERNAME\"... " >&6; }
--
--# MAILMAN_USER == variable name
--# $USERNAME == user id to check for
--
--
--if test -z "$MAILMAN_USER"
--then
-- cat > conftest.py <<EOF
--import pwd
--uid = ''
--for user in "$USERNAME".split():
-- try:
-- try:
-- uname = pwd.getpwuid(int(user))[0]
-- break
-- except ValueError:
-- uname = pwd.getpwnam(user)[0]
-- break
-- except KeyError:
-- uname = ''
--fp = open("conftest.out", "w")
--fp.write("%s\n" % uname)
--fp.close()
--EOF
-- $PYTHON conftest.py
-- MAILMAN_USER=`cat conftest.out`
--fi
--
--rm -f conftest.out conftest.py
--if test -z "$MAILMAN_USER"
--then
-- if test "$with_permcheck" = "yes"
-- then
-- as_fn_error $? "
--***** No \"$USERNAME\" user found!
--***** Your system must have a \"$USERNAME\" user defined
--***** (usually in your /etc/passwd file). Please see the INSTALL
--***** file for details." "$LINENO" 5
-- fi
--fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5
--$as_echo "okay" >&6; }
--
--
- # Check for some other gid to use than `mailman'
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-groupname" >&5
- $as_echo_n "checking for --with-groupname... " >&6; }
-@@ -3609,54 +3563,7 @@ GROUPNAME=$with_groupname
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GROUPNAME" >&5
- $as_echo "$GROUPNAME" >&6; }
-
--
--# Target group must exist
--
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for group name
\"$GROUPNAME\"" >&5
--$as_echo_n "checking for group name \"$GROUPNAME\"... " >&6; }
--
--# MAILMAN_GROUP == variable name
--# $GROUPNAME == user id to check for
--
--
--if test -z "$MAILMAN_GROUP"
--then
-- cat > conftest.py <<EOF
--import grp
--gid = ''
--for group in "$GROUPNAME".split():
-- try:
-- try:
-- gname = grp.getgrgid(int(group))[0]
-- break
-- except ValueError:
-- gname = grp.getgrnam(group)[0]
-- break
-- except KeyError:
-- gname = ''
--fp = open("conftest.out", "w")
--fp.write("%s\n" % gname)
--fp.close()
--EOF
-- $PYTHON conftest.py
-- MAILMAN_GROUP=`cat conftest.out`
--fi
--
--rm -f conftest.out conftest.py
--if test -z "$MAILMAN_GROUP"
--then
-- if test "$with_permcheck" = "yes"
-- then
-- as_fn_error $? "
--***** No \"$GROUPNAME\" group found!
--***** Your system must have a \"$GROUPNAME\" group defined
--***** (usually in your /etc/group file). Please see the INSTALL
--***** file for details." "$LINENO" 5
-- fi
--fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5
--$as_echo "okay" >&6; }
--
-+MAILMAN_GROUP=$with_groupname
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking permissions on
$prefixcheck" >&5
- $as_echo_n "checking permissions on $prefixcheck... " >&6; }
Index: patches/patch-src_common_c
===================================================================
RCS file: patches/patch-src_common_c
diff -N patches/patch-src_common_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_c 23 Mar 2016 12:25:49 -0000
@@ -0,0 +1,78 @@
+$OpenBSD$
+--- src/common.c.orig Sun Feb 28 15:47:44 2016
++++ src/common.c Sun Mar 20 16:22:35 2016
+@@ -119,45 +119,39 @@ fatal(const char* ident, int exitcode, char* format, .
+ void
+ check_caller(const char* ident, const char* parentgroup)
+ {
+- GID_T mygid = getgid();
+- struct group *mygroup = getgrgid(mygid);
+- char* option;
+- char* server;
++ struct passwd *pw;
++ struct group *gr;
++ char **g;
++ int ok = 0;
+ char* wrapper;
+
+- if (running_as_cgi) {
+- option = "--with-cgi-gid";
+- server = "web";
+- wrapper = "CGI";
+- }
+- else {
+- option = "--with-mail-gid";
+- server = "mail";
+- wrapper = "mail";
+- }
++ pw = getpwuid(getuid());
++ if (pw == NULL)
++ fatal(ident, USER_NAME_NOT_FOUND,
++ "Failure to find username");
+
+- if (!mygroup)
+- fatal(ident, GROUP_NAME_NOT_FOUND,
+- "Failure to find group name for GID %d. Mailman\n"
+- "expected the %s wrapper to be executed as group\n"
+- "\"%s\", but the system's %s server executed the\n"
+- "wrapper as GID %d for which the name could not be\n"
+- "found. Try adding GID %d to your system as \"%s\",\n"
+- "or tweak your %s server to run the wrapper as group\n"
+- "\"%s\".",
+- mygid, wrapper, parentgroup, server, mygid, mygid,
+- parentgroup, server, parentgroup);
++ gr = getgrnam(parentgroup);
++ if (gr == NULL)
++ fatal(ident, GROUP_NAME_NOT_FOUND,
++ "Failure to find \"%s\" group", parentgroup);
+
+- if (strcmp(parentgroup, mygroup->gr_name))
+- fatal(ident, GROUP_MISMATCH,
+- "Group mismatch error. Mailman expected the %s\n"
+- "wrapper script to be executed as group \"%s\", but\n"
+- "the system's %s server executed the %s script as\n"
+- "group \"%s\". Try tweaking the %s server to run the\n"
+- "script as group \"%s\", or re-run configure, \n"
+- "providing the command line option `%s=%s'.",
+- wrapper, parentgroup, server, wrapper, mygroup->gr_name,
+- server, parentgroup, option, mygroup->gr_name);
++ for (g = gr->gr_mem; *g; g++) {
++ if (strcmp(pw->pw_name, *g) == 0) {
++ ok = 1;
++ break;
++ }
++ }
++
++ if (running_as_cgi)
++ wrapper = "CGI";
++ else
++ wrapper = "mail";
++
++ if (ok == 0)
++ fatal(ident, GROUP_MISMATCH,
++ "Group mismatch error. Mailman expected the %s\n"
++ "wrapper script to be executed by a member of\n"
++ "\"%s\" group.", wrapper, parentgroup);
+ }
+
+
Index: patches/patch-src_common_h
===================================================================
RCS file: patches/patch-src_common_h
diff -N patches/patch-src_common_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_h 23 Mar 2016 12:25:49 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+--- src/common.h.orig Sun Mar 20 13:48:18 2016
++++ src/common.h Sun Mar 20 13:53:00 2016
+@@ -27,6 +27,7 @@
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <grp.h>
++#include <pwd.h>
+ #include <unistd.h>
+
+ /* GETGROUPS_T gets set in the makefile by configure */
+@@ -52,6 +53,7 @@ extern const char* logident;
+ #define MAIL_ILLEGAL_COMMAND 6
+ #define ADDALIAS_USAGE_ERROR 7
+ #define GROUP_NAME_NOT_FOUND 8
++#define USER_NAME_NOT_FOUND 9
+
+ �
+ /*
Index: pkg/DESCR
===================================================================
RCS file: /cvs/ports/mail/mailman/pkg/DESCR,v
retrieving revision 1.3
diff -u -p -r1.3 DESCR
--- pkg/DESCR 22 Nov 2014 22:56:42 -0000 1.3
+++ pkg/DESCR 23 Mar 2016 12:25:49 -0000
@@ -30,8 +30,3 @@ mailing list manager, and more:
- An extensible mail delivery pipeline.
- Support for virtual domains.
-
-Flavors:
- The default flavor makes the mailwrapper run in group _smtpd, for smtpd
- postfix - makes the mailwrapper run in group _mailman, for postfix
- sendmail - makes the mailwrapper run in group daemon, for sendmail
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/mail/mailman/pkg/PLIST,v
retrieving revision 1.25
diff -u -p -r1.25 PLIST
--- pkg/PLIST 9 Apr 2015 15:37:08 -0000 1.25
+++ pkg/PLIST 23 Mar 2016 12:25:49 -0000
@@ -1,4 +1,7 @@
@comment $OpenBSD: PLIST,v 1.25 2015/04/09 15:37:08 okan Exp $
+@pkgpath mail/mailman,postfix
+@pkgpath mail/mailman,sendmail
+@pkgpath mail/mailman,smtpd
@newgroup _mailman:504
@newuser _mailman:504:_mailman:daemon:Mailing List
Manager:${PREFIX}/lib/mailman:/sbin/nologin
@extraunexec rm -fr /var/spool/mailman/*
@@ -902,6 +905,7 @@ lib/mailman/templates/da/verify.txt
@mode 775
lib/mailman/templates/de/
@mode
+lib/mailman/templates/de/adminaddrchgack.txt
lib/mailman/templates/de/admindbdetails.html
lib/mailman/templates/de/admindbpreamble.html
lib/mailman/templates/de/admindbsummary.html
@@ -1794,9 +1798,6 @@ lib/mailman/templates/no/verify.txt
@mode 775
lib/mailman/templates/pl/
@mode
-lib/mailman/templates/pl/admindbdetails.html
-lib/mailman/templates/pl/admindbpreamble.html
-lib/mailman/templates/pl/admindbsummary.html
lib/mailman/templates/pl/adminsubscribeack.txt
lib/mailman/templates/pl/adminunsubscribeack.txt
lib/mailman/templates/pl/admlogin.html
@@ -1812,11 +1813,9 @@ lib/mailman/templates/pl/archtocnombox.h
lib/mailman/templates/pl/article.html
lib/mailman/templates/pl/bounce.txt
lib/mailman/templates/pl/checkdbs.txt
-lib/mailman/templates/pl/convert.txt
lib/mailman/templates/pl/cronpass.txt
lib/mailman/templates/pl/disabled.txt
lib/mailman/templates/pl/emptyarchive.html
-lib/mailman/templates/pl/headfoot.html
lib/mailman/templates/pl/help.txt
lib/mailman/templates/pl/invite.txt
lib/mailman/templates/pl/listinfo.html
Index: pkg/README
===================================================================
RCS file: /cvs/ports/mail/mailman/pkg/README,v
retrieving revision 1.4
diff -u -p -r1.4 README
--- pkg/README 19 Mar 2016 10:29:03 -0000 1.4
+++ pkg/README 23 Mar 2016 12:25:49 -0000
@@ -11,6 +11,8 @@ OpenBSD specific comments added. It's a
1) Final Steps for Installation
+- Add your MTA and web server user to the _mailman group.
+
- Configure your web server to give $mailmandir/cgi-bin permission to
run CGI scripts by adding
@@ -175,13 +177,10 @@ system and version of Python.
more information.
- Problem: The mail wrapper programs are logging complaints about the
- wrong GID.
+ Problem: The cgi and mail wrapper programs are logging complaints
+ about group mismatch.
- Solution: The mail wrappers have a compiled-in GID check. Packages are
- available for postfix/smtpd/sendmail, pkg_add will ask you which
- to use. If you change MTA, uninstall the mailman package and
- pkg_add a new one.
+ Solution: Add your MTA and web server user to the _mailman group.
Problem: I send mail to the list, and get back mail saying,
