Thanks for the suggestion. I don't run a grsec hardened kernel, but I tried
your idea anyways. Same result. Also got an error message. From the looks of
everything, it seems that exim is just not respecting the user/group I tell it
to run mailman as. My configs all _look_ right. All UID/GID match up. The
baffling part is, like I said before, these are BOTH the same versions that
WERE running fine together for months. *sigh* It's silly that mailman just
doesn't run like any other program. I don't know why they have to do this
UID/GID thing. UGH!
daevid mailman # /usr/local/mailman/bin/check_perms -f
No problems found
daevid mailman # /usr/local/mailman/bin/check_perms_grsecurity.py -f
Making select directories owned and writable by root only
/usr/local/mailman/mail
/usr/local/mailman/cgi-bin
/usr/local/mailman/bin
Making/usr/local/mailman/data/last_mailman_versionowned by mailman (not root)
Creating /usr/local/mailman/bin/CheckFixUid.py
Making cgis setuid mailman
/usr/local/mailman/cgi-bin/admindb
/usr/local/mailman/cgi-bin/admin
/usr/local/mailman/cgi-bin/confirm
/usr/local/mailman/cgi-bin/create
/usr/local/mailman/cgi-bin/edithtml
/usr/local/mailman/cgi-bin/listinfo
/usr/local/mailman/cgi-bin/options
/usr/local/mailman/cgi-bin/private
/usr/local/mailman/cgi-bin/rmlist
/usr/local/mailman/cgi-bin/roster
/usr/local/mailman/cgi-bin/subscribe
Making mail wrapper setuid mailman
/usr/local/mailman/mail/mailman
Ensuring that all config.db/pck files are owned by Mailman
Patching mailman scripts to change the uid to mailman
Traceback (most recent call last):
File "/usr/local/mailman/bin/check_perms_grsecurity.py", line 181, in ?
main(sys.argv)
File "/usr/local/mailman/bin/check_perms_grsecurity.py", line 147, in main
filefd = open(script, "r")
IOError: [Errno 2] No such file or directory: 'add_members'
> -----Original Message-----
> From: Bertrand CHERRIER [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 15, 2005 6:48 PM
> To: Daevid Vincent
> Subject: Re: [exim] Mailman stopped working
>
> I had the same problem, I'm using a grsec hardened kernel, to get it
> work again I had to run
> /usr/local/mailman/bin/check_perms -f
> /usr/local/mailman/bin/check_perms_grsecurity.py -f
>
> and then everything went back to normal
>
> hope this helps.
>
> Daevid Vincent a écrit :
>
> >[I posted this earlier at 1:53pm, but I didn't see it come
> through the
> >list yet at 6:35pm]
> >
> >Mailman and Exim were working fine on my Gentoo box. Then around Sept
> >7th, mailman stopped working. I checked and saw that there was a new
> >emerge (however, it is the same exact version, so maybe it
> was part of a
> >revdep-rebuild or something).
> >
> >[ebuild R ] mail-mta/exim-4.50-r1 +X -dnsdb -exiscan
> -exiscan-acl
> >+ipv6
> >-ldap -lmtp -mailwrapper -mbox +mysql -nis +pam +perl -postgres -sasl
> >+ssl
> >-syslog +tcpd 1,401 kB
> >[ebuild R ] net-mail/mailman-2.1.5-r4 +apache2 5,611 kB
> >
> >Anyways, this is what I get in my mail logs:
> >
> >Sep 15 13:31:17 [Mailman mail-wrapper] Group mismatch error. Mailman
> >expected the mail_wrapper script to be executed as group "mailman",
> >but_the system's mail server executed the mail script
> as_group "mail".
> >Try tweaking the mail server to run the_script as group "mailman", or
> >re-run configure, _providing the command line option
> >`--with-mail-gid=mail'._
> >
> >I've been posting to the mailman lists and the gentoo lists,
> and nobody
> >seems to know what's wrong and everyone points fingers, so
> I'm now at my
> >last resort thinking that maybe it is exim (which hasn't been updated
> >for several months, so I don't know why it would be, but the error
> >messages is suspicious)
> >
> >APACHEGID="81"
> >MAILGID="280"
> >
> >src_compile() {
> > econf \
> > --prefix=${INSTALLDIR} \
> > --with-mail-gid=${MAILGID} \
> > --with-cgi-gid=${APACHEGID} \
> > || die "configure failed"
> >
> > make || die "make failed"
> >}
> >
> ># ll /etc/exim/exim.conf
> >-rw-r--r-- 1 root root 29452 Apr 29 13:54 /etc/exim/exim.conf
> >
> > # User and group for Mailman, should match your --with-mail-gid
> > # switch to Mailman's configure script.
> > # Value is normally "mailman"
> > MM_UID=mailman
> > MM_GID=mailman
> >
> >So, these match what the comment says there, and what the .ebuild is
> >doing.
> >
> >daevid portage-logs # /usr/local/mailman/bin/check_perms -f
> >No problems found
> >
> >
> >
> >>>daevid ~ # which exim
> >>>/usr/sbin/exim
> >>>
> >>>daevid ~ # ll /usr/sbin/exim
> >>>-rws--x--x 1 root root 830012 Jul 7 00:57 /usr/sbin/exim
> >>>
> >>>
> >>I doubt it can just be mailman.
> >>
> >>
> >
> >Well, exim hasn't changed since that date above, and the
> config hasn't
> >changed for even longer, so I believe it *is* mailman and not exim:
> >
> ># ll
> >total 80
> >drwxr-xr-x 2 root root 4096 Jun 26 12:45 .
> >drwxr-xr-x 77 root root 4096 Sep 13 03:14 ..
> >-rw-r--r-- 1 root root 775 Jul 7 00:57 auth_conf.sub
> >-rw-r--r-- 1 root root 29452 Apr 29 13:54 exim.conf
> >-rw-r--r-- 1 root root 25931 Jul 7 00:57 exim.conf.dist
> >-rw-r--r-- 1 root root 8120 Jul 7 00:57 system_filter.exim
> >
> >
> >
> >>>>Has Exim lost its setuid bit (and/or its root ownership) in
> >>>>the upgrade?
> >>>>
> >>>>
> >>>Thanks for the suggestion John, but the perms look correct.
> >>>
> >>>
> >>Also, other
> >>
> >>
> >>>email works fine (incoming/outgoing). It's only mailman...
> >>>
> >>>daevid ~ # which exim
> >>>/usr/sbin/exim
> >>>
> >>>daevid ~ # ll /usr/sbin/exim
> >>>-rws--x--x 1 root root 830012 Jul 7 00:57 /usr/sbin/exim
> >>>
> >>>
> >>I doubt it can just be mailman. It's failing in the mail
> wrapper which
> >>calls getgid() to get the group its being executed as.
> >>Mailman is simply
> >>reporting the facts, which is it is not being executed as
> the group it
> >>was intended to be executed as. In your configuration it is
> >>exim that is
> >>executing mailman wrapper, thus it is exim that needs looking
> >>at. Also,
> >>please note the error concerns group id not the user id. The error
> >>reported says exim executed the mail wrapper as the group
> >>"mail" when it
> >>expected it to be group "mailman". This means exim invoked
> the wrapper
> >>in the "mail" group. Sorry, I'm not an exim user so I can't
> >>tell you the
> >>particulars of exim, but I suspect there is an option when
> >>executing the
> >>mailman wrapper to elect the group in addition to the user (its the
> >>group thats important).
> >>
> >>Also, its not the setuid or setgid bit of exim that's
> relevant in this
> >>case, that says when that exim executable is run, ignore who
> >>is invoking
> >>me and run as this user or group instead. Which for exim
> when invoking
> >>mailman on your behalf is not relevant (and may not even be
> >>desirable),
> >>what is relevant is that when exim invokes the mailman
> >>wrapper it calls
> >>setgid("mailman") (I'm playing a little loose and fast
> here, but thats
> >>the idea in a nutshell). This probably only happens via an exim
> >>configuration parameter tied to mailman invocation.
> >>
> >>
> >
> >
> >
> >>The wrapper also complains that it is not being executed as group
> >>'mailman', but rather as group 'mail'. This is the confusing part
> >>because it seems from the above that you are telling Exim to invoke
> >>the wrapper as group 'mailman' yet the wrapper is telling you it is
> >>being invoked as group 'mail'. I would look carefully at the Exim
> >>configuration to be sure that
> >>
> >> MM_UID=mailman
> >> MM_GID=mailman
> >>
> >>are in the right place and are not being overridden somewhere else.
> >>
> >>
> >
> >Below is portions of my /etc/exim/exim.conf. I deleted out any
> >irrellevant
> >parts, but I kept everything in the right order... I believe
> it's pretty
> >much stock. (I don't know much about exim).
> >
> >
> >
> >># cat /etc/exim/exim.conf
> >>
> >>
> >
> >#############################################################
> #########
> ># Runtime configuration file for Exim
> #
> >#############################################################
> #########
> >
> >
> >#
> ># copied from http://www.exim.org/howto/mailman21.html#exconf
> >#
> > # Home dir for your Mailman installation -- aka Mailman's prefix
> >directory.
> > # By default this is set to "/usr/local/mailman"
> > # On a Red Hat/Fedora system using the RPM use "/var/mailman"
> > # On Debian using the deb package use "/var/lib/mailman"
> > # This is normally the same as ~mailman
> > MM_HOME=/usr/local/mailman
> > #
> > # User and group for Mailman, should match your --with-mail-gid
> > # switch to Mailman's configure script.
> > # Value is normally "mailman"
> > MM_UID=mailman
> > MM_GID=mailman
> > #
> > # Domains that your lists are in - colon separated list
> > # you may wish to add these into local_domains as well
> > domainlist
> >mm_domains=daevid.com:rollinballzcrew.com:me-racing.com:marq.org
> > #
> > # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > #
> > # These values are derived from the ones above and should not need
> > # editing unless you have munged your mailman installation
> > #
> > # The path of the Mailman mail wrapper script
> > MM_WRAP=MM_HOME/mail/mailman
> > #
> > # The path of the list config file (used as a required file when
> > # verifying list addresses)
> > MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck
> >
> >
> >#############################################################
> #########
> ># MAIN CONFIGURATION SETTINGS
> #
> >#############################################################
> #########
> >
> >exim_user = mail
> >
> >#############################################################
> #########
> ># ROUTERS CONFIGURATION
> #
> ># Specifies how addresses are handled
> #
> >#############################################################
> #########
> ># THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS
> IMPORTANT! #
> ># An address is passed to each router in turn until it is
> accepted. #
> >#############################################################
> #########
> >
> >mailman_router:
> > driver = accept
> > domains = +mm_domains
> > require_files = MM_LISTCHK
> > local_part_suffix_optional
> > local_part_suffix = -admin : \
> > -bounces : -bounces+* : \
> > -confirm : -confirm+* : \
> > -join : -leave : \
> > -owner : -request : \
> > -subscribe : -unsubscribe
> > transport = mailman_transport
> >
> >procmail:
> > debug_print = "R: procmail for [EMAIL PROTECTED]"
> > driver = accept
> > check_local_user
> > transport = procmail_pipe
> > require_files =
> ${local_part}:${home}/.procmailrc:+/usr/bin/procmail
> > no_verify
> > no_expn
> >
> >userforward:
> > driver = redirect
> > check_local_user
> ># local_part_suffix = +* : -*
> ># local_part_suffix_optional
> > file = $home/.forward
> ># allow_filter
> > no_verify
> > no_expn
> > check_ancestor
> > file_transport = address_file
> > pipe_transport = address_pipe
> > reply_transport = address_reply
> >
> >localuser:
> > driver = accept
> > check_local_user
> ># local_part_suffix = +* : -*
> ># local_part_suffix_optional
> > transport = local_delivery
> > cannot_route_message = Unknown user
> >
> >
> >#############################################################
> #########
> ># TRANSPORTS CONFIGURATION
> #
> >#############################################################
> #########
> ># ORDER DOES NOT MATTER
> #
> ># Only one appropriate transport is called for each
> delivery. #
> >#############################################################
> #########
> >
> >mailman_transport:
> > driver = pipe
> > command = MM_WRAP \
> > '${if def:local_part_suffix \
> >
> {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
> > {post}}' \
> > $local_part
> > current_directory = MM_HOME
> > home_directory = MM_HOME
> > user = MM_UID
> > group = MM_GID
> >
> ># End of Exim configuration file
> >
> >
> >
>
> --
> Bertrand CHERRIER
> [EMAIL PROTECTED]
>
> MICRO LOGIC SYSTEMS
> http://www.mls.nc
> Vente & maintenance réseaux Informatique
> Fournisseur de Sensations Internet
> Service clientèle au 36.67.76 (58Frs/mn)
>
>
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
