On Wed 2016.03.23 at 13:27 +0000, Stuart Henderson wrote:
> On 2016/03/23 08:48, Okan Demirmen wrote:
> > I believe the cgi/mail wrapper check could actually look at the defined
> > group membership instead.
>
> Oh this is a much better approach. I was considering rewriting the check
> to allow any one of a hardcoded list, but that's a much better idea.
>
> I'm not using mailman myself but think this is a good way to do it.
dlg's comment to was use another group, _mailmanq; with that, here's an
updated diff to go in the cgi/mail wrapper rewrite direction with a new
group (of course mail/Makefile to be updated as well).
Summary:
- update to 2.1.21
- remove configure patch: hasn't been required since introducing
--without-permcheck in configure
- some of Defaults.py are now upstream defaults.
- rewrite cgi/mail wrapper (check_caller()) to check calling uid
against --with-cgi-gid/--with-mail-gid defined group.
- no longer requires a FLAVOR for each mail/web server.
Thanks,
Okan
Index: user.list
===================================================================
RCS file: /cvs/ports/infrastructure/db/user.list,v
retrieving revision 1.264
diff -u -p -r1.264 user.list
--- user.list 4 Apr 2016 12:05:37 -0000 1.264
+++ user.list 4 Apr 2016 19:07:36 -0000
@@ -276,3 +276,4 @@ id user group port options
765 _hedgewars _hedgewars games/hedgewars
766 _kibana _kibana www/kibana
767 _squeezelite _squeezelite audio/squeezelite
+768 _mailmanq mail/mailman
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/mailman/Makefile,v
retrieving revision 1.83
diff -u -p -r1.83 Makefile
--- Makefile 19 Mar 2016 10:31:44 -0000 1.83
+++ Makefile 4 Apr 2016 19:07:25 -0000
@@ -2,8 +2,7 @@
COMMENT= mailing list manager with web interface
-DISTNAME= mailman-2.1.20
-REVISION= 0
+DISTNAME= mailman-2.1.21
CATEGORIES= mail www
HOMEPAGE= https://www.gnu.org/software/mailman/
@@ -32,8 +31,6 @@ FAKE_FLAGS= DIRSETGID=":"
# gnu still breaks the paths as prefix is actually mailman's home
CONFIGURE_STYLE= simple
-# do not use --without-permcheck as this requires the mailman user and group
-# to exist, otherwise there will be problems running mailman
CONFIGURE_ARGS+= --prefix='${MMHOME}' \
--with-mailhost=localhost.my.domain \
--with-python=${MODPY_BIN} \
@@ -41,19 +38,9 @@ CONFIGURE_ARGS+= --prefix='${MMHOME}' \
--with-var-prefix='${MMSPOOL}' \
--without-permcheck \
--with-username=_mailman \
- --with-groupname=_mailman
-
-FLAVORS= smtpd postfix sendmail
-FLAVOR?= smtpd
-.if ${FLAVOR:Mpostfix}
-CONFIGURE_ARGS+=--with-mail-gid=_mailman
-.elif ${FLAVOR:Msendmail}
-CONFIGURE_ARGS+=--with-mail-gid=daemon
-.elif ${FLAVOR:Msmtpd}
-CONFIGURE_ARGS+=--with-mail-gid=_smtpd
-.else
-ERRORS+="Fatal: a flavor (smtpd, postfix, sendmail) must be specified"
-.endif
+ --with-groupname=_mailman \
+ --with-cgi-gid=_mailmanq \
+ --with-mail-gid=_mailmanq
SCRIPTS= Mailman/Archiver/pipermail.py \
Mailman/Post.py \
Index: distinfo
===================================================================
RCS file: /cvs/ports/mail/mailman/distinfo,v
retrieving revision 1.23
diff -u -p -r1.23 distinfo
--- distinfo 9 Apr 2015 15:37:08 -0000 1.23
+++ distinfo 4 Apr 2016 19:07:25 -0000
@@ -1,2 +1,2 @@
-SHA256 (mailman-2.1.20.tgz) = UiwrXFq5E5j9+UmolhFiwxT2MjzRv+uQfg+y2IJ3cR8=
-SIZE (mailman-2.1.20.tgz) = 9204867
+SHA256 (mailman-2.1.21.tgz) = /tM6GBVN6qToGiB5jIFEhe1LLl2LQs9tPVWGf/T3CEM=
+SIZE (mailman-2.1.21.tgz) = 9266286
Index: patches/patch-Mailman_Defaults_py_in
===================================================================
RCS file: /cvs/ports/mail/mailman/patches/patch-Mailman_Defaults_py_in,v
retrieving revision 1.13
diff -u -p -r1.13 patch-Mailman_Defaults_py_in
--- patches/patch-Mailman_Defaults_py_in 9 Apr 2015 15:37:08 -0000
1.13
+++ patches/patch-Mailman_Defaults_py_in 4 Apr 2016 19:07:25 -0000
@@ -1,27 +1,12 @@
$OpenBSD: patch-Mailman_Defaults_py_in,v 1.13 2015/04/09 15:37:08 okan Exp $
---- Mailman/Defaults.py.in.orig Sat Feb 28 11:41:04 2015
-+++ Mailman/Defaults.py.in Sun Mar 22 11:55:07 2015
-@@ -539,7 +539,22 @@ SMTPPORT = 0 # de
+--- Mailman/Defaults.py.in.orig Sun Feb 28 15:47:44 2016
++++ Mailman/Defaults.py.in Sun Mar 20 11:21:13 2016
+@@ -554,7 +554,7 @@ SMTPPORT = 0 # de
# Command for direct command pipe delivery to sendmail compatible program,
# when DELIVERY_MODULE is 'Sendmail'.
-SENDMAIL_CMD = '/usr/lib/sendmail'
+SENDMAIL_CMD = '/usr/sbin/sendmail'
-+
-+# Specify the type of passwords to use, when Mailman generates the passwords
-+# itself, as would be the case for membership requests where the user did not
-+# fill in a password, or during list creation, when auto-generation of admin
-+# passwords was selected.
-+#
-+# Set this value to Yes for classic Mailman user-friendly(er) passwords.
-+# These generate semi-pronounceable passwords which are easier to remember.
-+# Set this value to No to use more cryptographically secure, but harder to
-+# remember, passwords -- if your operating system and Python version support
-+# the necessary feature (specifically that /dev/urandom be available).
-+USER_FRIENDLY_PASSWORDS = Yes
-+
-+# This value specifies the default lengths of member passwords
-+MEMBER_PASSWORD_LENGTH = 8
# Set these variables if you need to authenticate to your NNTP server for
# Usenet posting or reading. If no authentication is necessary, specify None
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- patches/patch-configure 9 Apr 2015 15:37:08 -0000 1.11
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,115 +0,0 @@
-$OpenBSD: patch-configure,v 1.11 2015/04/09 15:37:08 okan Exp $
---- configure.orig Tue May 6 12:43:56 2014
-+++ configure Sun Jan 11 10:37:11 2015
-@@ -3543,54 +3543,8 @@ USERNAME=$with_username
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USERNAME" >&5
- $as_echo "$USERNAME" >&6; }
-
--# User `mailman' must exist
-+MAILMAN_USER=$with_username
-
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for user name
\"$USERNAME\"" >&5
--$as_echo_n "checking for user name \"$USERNAME\"... " >&6; }
--
--# MAILMAN_USER == variable name
--# $USERNAME == user id to check for
--
--
--if test -z "$MAILMAN_USER"
--then
-- cat > conftest.py <<EOF
--import pwd
--uid = ''
--for user in "$USERNAME".split():
-- try:
-- try:
-- uname = pwd.getpwuid(int(user))[0]
-- break
-- except ValueError:
-- uname = pwd.getpwnam(user)[0]
-- break
-- except KeyError:
-- uname = ''
--fp = open("conftest.out", "w")
--fp.write("%s\n" % uname)
--fp.close()
--EOF
-- $PYTHON conftest.py
-- MAILMAN_USER=`cat conftest.out`
--fi
--
--rm -f conftest.out conftest.py
--if test -z "$MAILMAN_USER"
--then
-- if test "$with_permcheck" = "yes"
-- then
-- as_fn_error $? "
--***** No \"$USERNAME\" user found!
--***** Your system must have a \"$USERNAME\" user defined
--***** (usually in your /etc/passwd file). Please see the INSTALL
--***** file for details." "$LINENO" 5
-- fi
--fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5
--$as_echo "okay" >&6; }
--
--
- # Check for some other gid to use than `mailman'
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-groupname" >&5
- $as_echo_n "checking for --with-groupname... " >&6; }
-@@ -3609,54 +3563,7 @@ GROUPNAME=$with_groupname
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GROUPNAME" >&5
- $as_echo "$GROUPNAME" >&6; }
-
--
--# Target group must exist
--
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for group name
\"$GROUPNAME\"" >&5
--$as_echo_n "checking for group name \"$GROUPNAME\"... " >&6; }
--
--# MAILMAN_GROUP == variable name
--# $GROUPNAME == user id to check for
--
--
--if test -z "$MAILMAN_GROUP"
--then
-- cat > conftest.py <<EOF
--import grp
--gid = ''
--for group in "$GROUPNAME".split():
-- try:
-- try:
-- gname = grp.getgrgid(int(group))[0]
-- break
-- except ValueError:
-- gname = grp.getgrnam(group)[0]
-- break
-- except KeyError:
-- gname = ''
--fp = open("conftest.out", "w")
--fp.write("%s\n" % gname)
--fp.close()
--EOF
-- $PYTHON conftest.py
-- MAILMAN_GROUP=`cat conftest.out`
--fi
--
--rm -f conftest.out conftest.py
--if test -z "$MAILMAN_GROUP"
--then
-- if test "$with_permcheck" = "yes"
-- then
-- as_fn_error $? "
--***** No \"$GROUPNAME\" group found!
--***** Your system must have a \"$GROUPNAME\" group defined
--***** (usually in your /etc/group file). Please see the INSTALL
--***** file for details." "$LINENO" 5
-- fi
--fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5
--$as_echo "okay" >&6; }
--
-+MAILMAN_GROUP=$with_groupname
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking permissions on
$prefixcheck" >&5
- $as_echo_n "checking permissions on $prefixcheck... " >&6; }
Index: patches/patch-src_common_c
===================================================================
RCS file: patches/patch-src_common_c
diff -N patches/patch-src_common_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_c 4 Apr 2016 19:07:25 -0000
@@ -0,0 +1,78 @@
+$OpenBSD$
+--- src/common.c.orig Sun Feb 28 15:47:44 2016
++++ src/common.c Sun Mar 20 16:22:35 2016
+@@ -119,45 +119,39 @@ fatal(const char* ident, int exitcode, char* format, .
+ void
+ check_caller(const char* ident, const char* parentgroup)
+ {
+- GID_T mygid = getgid();
+- struct group *mygroup = getgrgid(mygid);
+- char* option;
+- char* server;
++ struct passwd *pw;
++ struct group *gr;
++ char **g;
++ int ok = 0;
+ char* wrapper;
+
+- if (running_as_cgi) {
+- option = "--with-cgi-gid";
+- server = "web";
+- wrapper = "CGI";
+- }
+- else {
+- option = "--with-mail-gid";
+- server = "mail";
+- wrapper = "mail";
+- }
++ pw = getpwuid(getuid());
++ if (pw == NULL)
++ fatal(ident, USER_NAME_NOT_FOUND,
++ "Failure to find username");
+
+- if (!mygroup)
+- fatal(ident, GROUP_NAME_NOT_FOUND,
+- "Failure to find group name for GID %d. Mailman\n"
+- "expected the %s wrapper to be executed as group\n"
+- "\"%s\", but the system's %s server executed the\n"
+- "wrapper as GID %d for which the name could not be\n"
+- "found. Try adding GID %d to your system as \"%s\",\n"
+- "or tweak your %s server to run the wrapper as group\n"
+- "\"%s\".",
+- mygid, wrapper, parentgroup, server, mygid, mygid,
+- parentgroup, server, parentgroup);
++ gr = getgrnam(parentgroup);
++ if (gr == NULL)
++ fatal(ident, GROUP_NAME_NOT_FOUND,
++ "Failure to find \"%s\" group", parentgroup);
+
+- if (strcmp(parentgroup, mygroup->gr_name))
+- fatal(ident, GROUP_MISMATCH,
+- "Group mismatch error. Mailman expected the %s\n"
+- "wrapper script to be executed as group \"%s\", but\n"
+- "the system's %s server executed the %s script as\n"
+- "group \"%s\". Try tweaking the %s server to run the\n"
+- "script as group \"%s\", or re-run configure, \n"
+- "providing the command line option `%s=%s'.",
+- wrapper, parentgroup, server, wrapper, mygroup->gr_name,
+- server, parentgroup, option, mygroup->gr_name);
++ for (g = gr->gr_mem; *g; g++) {
++ if (strcmp(pw->pw_name, *g) == 0) {
++ ok = 1;
++ break;
++ }
++ }
++
++ if (running_as_cgi)
++ wrapper = "CGI";
++ else
++ wrapper = "mail";
++
++ if (ok == 0)
++ fatal(ident, GROUP_MISMATCH,
++ "Group mismatch error. Mailman expected the %s\n"
++ "wrapper script to be executed by a member of\n"
++ "\"%s\" group.", wrapper, parentgroup);
+ }
+
+
Index: patches/patch-src_common_h
===================================================================
RCS file: patches/patch-src_common_h
diff -N patches/patch-src_common_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_h 4 Apr 2016 19:07:25 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+--- src/common.h.orig Sun Mar 20 13:48:18 2016
++++ src/common.h Sun Mar 20 13:53:00 2016
+@@ -27,6 +27,7 @@
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <grp.h>
++#include <pwd.h>
+ #include <unistd.h>
+
+ /* GETGROUPS_T gets set in the makefile by configure */
+@@ -52,6 +53,7 @@ extern const char* logident;
+ #define MAIL_ILLEGAL_COMMAND 6
+ #define ADDALIAS_USAGE_ERROR 7
+ #define GROUP_NAME_NOT_FOUND 8
++#define USER_NAME_NOT_FOUND 9
+
+ �
+ /*
Index: pkg/DESCR
===================================================================
RCS file: /cvs/ports/mail/mailman/pkg/DESCR,v
retrieving revision 1.3
diff -u -p -r1.3 DESCR
--- pkg/DESCR 22 Nov 2014 22:56:42 -0000 1.3
+++ pkg/DESCR 4 Apr 2016 19:07:25 -0000
@@ -30,8 +30,3 @@ mailing list manager, and more:
- An extensible mail delivery pipeline.
- Support for virtual domains.
-
-Flavors:
- The default flavor makes the mailwrapper run in group _smtpd, for smtpd
- postfix - makes the mailwrapper run in group _mailman, for postfix
- sendmail - makes the mailwrapper run in group daemon, for sendmail
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/mail/mailman/pkg/PLIST,v
retrieving revision 1.25
diff -u -p -r1.25 PLIST
--- pkg/PLIST 9 Apr 2015 15:37:08 -0000 1.25
+++ pkg/PLIST 4 Apr 2016 19:07:25 -0000
@@ -1,6 +1,10 @@
@comment $OpenBSD: PLIST,v 1.25 2015/04/09 15:37:08 okan Exp $
+@pkgpath mail/mailman,postfix
+@pkgpath mail/mailman,sendmail
+@pkgpath mail/mailman,smtpd
@newgroup _mailman:504
@newuser _mailman:504:_mailman:daemon:Mailing List
Manager:${PREFIX}/lib/mailman:/sbin/nologin
+@newgroup _mailmanq:768
@extraunexec rm -fr /var/spool/mailman/*
@owner _mailman
@group _mailman
@@ -902,6 +906,7 @@ lib/mailman/templates/da/verify.txt
@mode 775
lib/mailman/templates/de/
@mode
+lib/mailman/templates/de/adminaddrchgack.txt
lib/mailman/templates/de/admindbdetails.html
lib/mailman/templates/de/admindbpreamble.html
lib/mailman/templates/de/admindbsummary.html
@@ -1794,9 +1799,6 @@ lib/mailman/templates/no/verify.txt
@mode 775
lib/mailman/templates/pl/
@mode
-lib/mailman/templates/pl/admindbdetails.html
-lib/mailman/templates/pl/admindbpreamble.html
-lib/mailman/templates/pl/admindbsummary.html
lib/mailman/templates/pl/adminsubscribeack.txt
lib/mailman/templates/pl/adminunsubscribeack.txt
lib/mailman/templates/pl/admlogin.html
@@ -1812,11 +1814,9 @@ lib/mailman/templates/pl/archtocnombox.h
lib/mailman/templates/pl/article.html
lib/mailman/templates/pl/bounce.txt
lib/mailman/templates/pl/checkdbs.txt
-lib/mailman/templates/pl/convert.txt
lib/mailman/templates/pl/cronpass.txt
lib/mailman/templates/pl/disabled.txt
lib/mailman/templates/pl/emptyarchive.html
-lib/mailman/templates/pl/headfoot.html
lib/mailman/templates/pl/help.txt
lib/mailman/templates/pl/invite.txt
lib/mailman/templates/pl/listinfo.html
Index: pkg/README
===================================================================
RCS file: /cvs/ports/mail/mailman/pkg/README,v
retrieving revision 1.4
diff -u -p -r1.4 README
--- pkg/README 19 Mar 2016 10:29:03 -0000 1.4
+++ pkg/README 4 Apr 2016 19:07:25 -0000
@@ -11,6 +11,8 @@ OpenBSD specific comments added. It's a
1) Final Steps for Installation
+- Add your MTA and web server user to the _mailmanq group.
+
- Configure your web server to give $mailmandir/cgi-bin permission to
run CGI scripts by adding
@@ -175,13 +177,10 @@ system and version of Python.
more information.
- Problem: The mail wrapper programs are logging complaints about the
- wrong GID.
+ Problem: The cgi and mail wrapper programs are logging complaints
+ about group mismatch.
- Solution: The mail wrappers have a compiled-in GID check. Packages are
- available for postfix/smtpd/sendmail, pkg_add will ask you which
- to use. If you change MTA, uninstall the mailman package and
- pkg_add a new one.
+ Solution: Add your MTA and web server user to the _mailmanq group.
Problem: I send mail to the list, and get back mail saying,
