On Mon 2016.04.04 at 15:22 -0400, Okan Demirmen wrote:
> On Wed 2016.03.23 at 13:27 +0000, Stuart Henderson wrote:
> > On 2016/03/23 08:48, Okan Demirmen wrote:
> > > I believe the cgi/mail wrapper check could actually look at the defined
> > > group membership instead.
> >
> > Oh this is a much better approach. I was considering rewriting the check
> > to allow any one of a hardcoded list, but that's a much better idea.
> >
> > I'm not using mailman myself but think this is a good way to do it.
>
> dlg's comment to was use another group, _mailmanq; with that, here's an
> updated diff to go in the cgi/mail wrapper rewrite direction with a new
> group (of course mail/Makefile to be updated as well).
>
> Summary:
> - update to 2.1.21
> - remove configure patch: hasn't been required since introducing
> --without-permcheck in configure
> - some of Defaults.py are now upstream defaults.
> - rewrite cgi/mail wrapper (check_caller()) to check calling uid
> against --with-cgi-gid/--with-mail-gid defined group.
> - no longer requires a FLAVOR for each mail/web server.
>
> Thanks,
> Okan
Perhaps not many (any?) mailman users but myself and dlg@...maybe
another porter's point-of-view for sanity's sake :) Otherwise, I'll
move ahead.
Thanks!
Okan
> Index: user.list
> ===================================================================
> RCS file: /cvs/ports/infrastructure/db/user.list,v
> retrieving revision 1.264
> diff -u -p -r1.264 user.list
> --- user.list 4 Apr 2016 12:05:37 -0000 1.264
> +++ user.list 4 Apr 2016 19:07:36 -0000
> @@ -276,3 +276,4 @@ id user group port options
> 765 _hedgewars _hedgewars games/hedgewars
> 766 _kibana _kibana www/kibana
> 767 _squeezelite _squeezelite audio/squeezelite
> +768 _mailmanq mail/mailman
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/mail/mailman/Makefile,v
> retrieving revision 1.83
> diff -u -p -r1.83 Makefile
> --- Makefile 19 Mar 2016 10:31:44 -0000 1.83
> +++ Makefile 4 Apr 2016 19:07:25 -0000
> @@ -2,8 +2,7 @@
>
> COMMENT= mailing list manager with web interface
>
> -DISTNAME= mailman-2.1.20
> -REVISION= 0
> +DISTNAME= mailman-2.1.21
> CATEGORIES= mail www
>
> HOMEPAGE= https://www.gnu.org/software/mailman/
> @@ -32,8 +31,6 @@ FAKE_FLAGS= DIRSETGID=":"
>
> # gnu still breaks the paths as prefix is actually mailman's home
> CONFIGURE_STYLE= simple
> -# do not use --without-permcheck as this requires the mailman user and group
> -# to exist, otherwise there will be problems running mailman
> CONFIGURE_ARGS+= --prefix='${MMHOME}' \
> --with-mailhost=localhost.my.domain \
> --with-python=${MODPY_BIN} \
> @@ -41,19 +38,9 @@ CONFIGURE_ARGS+= --prefix='${MMHOME}' \
> --with-var-prefix='${MMSPOOL}' \
> --without-permcheck \
> --with-username=_mailman \
> - --with-groupname=_mailman
> -
> -FLAVORS= smtpd postfix sendmail
> -FLAVOR?= smtpd
> -.if ${FLAVOR:Mpostfix}
> -CONFIGURE_ARGS+=--with-mail-gid=_mailman
> -.elif ${FLAVOR:Msendmail}
> -CONFIGURE_ARGS+=--with-mail-gid=daemon
> -.elif ${FLAVOR:Msmtpd}
> -CONFIGURE_ARGS+=--with-mail-gid=_smtpd
> -.else
> -ERRORS+="Fatal: a flavor (smtpd, postfix, sendmail) must be specified"
> -.endif
> + --with-groupname=_mailman \
> + --with-cgi-gid=_mailmanq \
> + --with-mail-gid=_mailmanq
>
> SCRIPTS= Mailman/Archiver/pipermail.py \
> Mailman/Post.py \
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/mail/mailman/distinfo,v
> retrieving revision 1.23
> diff -u -p -r1.23 distinfo
> --- distinfo 9 Apr 2015 15:37:08 -0000 1.23
> +++ distinfo 4 Apr 2016 19:07:25 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (mailman-2.1.20.tgz) = UiwrXFq5E5j9+UmolhFiwxT2MjzRv+uQfg+y2IJ3cR8=
> -SIZE (mailman-2.1.20.tgz) = 9204867
> +SHA256 (mailman-2.1.21.tgz) = /tM6GBVN6qToGiB5jIFEhe1LLl2LQs9tPVWGf/T3CEM=
> +SIZE (mailman-2.1.21.tgz) = 9266286
> Index: patches/patch-Mailman_Defaults_py_in
> ===================================================================
> RCS file: /cvs/ports/mail/mailman/patches/patch-Mailman_Defaults_py_in,v
> retrieving revision 1.13
> diff -u -p -r1.13 patch-Mailman_Defaults_py_in
> --- patches/patch-Mailman_Defaults_py_in 9 Apr 2015 15:37:08 -0000
> 1.13
> +++ patches/patch-Mailman_Defaults_py_in 4 Apr 2016 19:07:25 -0000
> @@ -1,27 +1,12 @@
> $OpenBSD: patch-Mailman_Defaults_py_in,v 1.13 2015/04/09 15:37:08 okan Exp $
> ---- Mailman/Defaults.py.in.orig Sat Feb 28 11:41:04 2015
> -+++ Mailman/Defaults.py.in Sun Mar 22 11:55:07 2015
> -@@ -539,7 +539,22 @@ SMTPPORT = 0 # de
> +--- Mailman/Defaults.py.in.orig Sun Feb 28 15:47:44 2016
> ++++ Mailman/Defaults.py.in Sun Mar 20 11:21:13 2016
> +@@ -554,7 +554,7 @@ SMTPPORT = 0 # de
>
> # Command for direct command pipe delivery to sendmail compatible program,
> # when DELIVERY_MODULE is 'Sendmail'.
> -SENDMAIL_CMD = '/usr/lib/sendmail'
> +SENDMAIL_CMD = '/usr/sbin/sendmail'
> -+
> -+# Specify the type of passwords to use, when Mailman generates the passwords
> -+# itself, as would be the case for membership requests where the user did
> not
> -+# fill in a password, or during list creation, when auto-generation of admin
> -+# passwords was selected.
> -+#
> -+# Set this value to Yes for classic Mailman user-friendly(er) passwords.
> -+# These generate semi-pronounceable passwords which are easier to remember.
> -+# Set this value to No to use more cryptographically secure, but harder to
> -+# remember, passwords -- if your operating system and Python version support
> -+# the necessary feature (specifically that /dev/urandom be available).
> -+USER_FRIENDLY_PASSWORDS = Yes
> -+
> -+# This value specifies the default lengths of member passwords
> -+MEMBER_PASSWORD_LENGTH = 8
>
> # Set these variables if you need to authenticate to your NNTP server for
> # Usenet posting or reading. If no authentication is necessary, specify
> None
> Index: patches/patch-configure
> ===================================================================
> RCS file: patches/patch-configure
> diff -N patches/patch-configure
> --- patches/patch-configure 9 Apr 2015 15:37:08 -0000 1.11
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,115 +0,0 @@
> -$OpenBSD: patch-configure,v 1.11 2015/04/09 15:37:08 okan Exp $
> ---- configure.orig Tue May 6 12:43:56 2014
> -+++ configure Sun Jan 11 10:37:11 2015
> -@@ -3543,54 +3543,8 @@ USERNAME=$with_username
> - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USERNAME" >&5
> - $as_echo "$USERNAME" >&6; }
> -
> --# User `mailman' must exist
> -+MAILMAN_USER=$with_username
> -
> --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for user name
> \"$USERNAME\"" >&5
> --$as_echo_n "checking for user name \"$USERNAME\"... " >&6; }
> --
> --# MAILMAN_USER == variable name
> --# $USERNAME == user id to check for
> --
> --
> --if test -z "$MAILMAN_USER"
> --then
> -- cat > conftest.py <<EOF
> --import pwd
> --uid = ''
> --for user in "$USERNAME".split():
> -- try:
> -- try:
> -- uname = pwd.getpwuid(int(user))[0]
> -- break
> -- except ValueError:
> -- uname = pwd.getpwnam(user)[0]
> -- break
> -- except KeyError:
> -- uname = ''
> --fp = open("conftest.out", "w")
> --fp.write("%s\n" % uname)
> --fp.close()
> --EOF
> -- $PYTHON conftest.py
> -- MAILMAN_USER=`cat conftest.out`
> --fi
> --
> --rm -f conftest.out conftest.py
> --if test -z "$MAILMAN_USER"
> --then
> -- if test "$with_permcheck" = "yes"
> -- then
> -- as_fn_error $? "
> --***** No \"$USERNAME\" user found!
> --***** Your system must have a \"$USERNAME\" user defined
> --***** (usually in your /etc/passwd file). Please see the INSTALL
> --***** file for details." "$LINENO" 5
> -- fi
> --fi
> --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5
> --$as_echo "okay" >&6; }
> --
> --
> - # Check for some other gid to use than `mailman'
> - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-groupname" >&5
> - $as_echo_n "checking for --with-groupname... " >&6; }
> -@@ -3609,54 +3563,7 @@ GROUPNAME=$with_groupname
> - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GROUPNAME" >&5
> - $as_echo "$GROUPNAME" >&6; }
> -
> --
> --# Target group must exist
> --
> --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for group name
> \"$GROUPNAME\"" >&5
> --$as_echo_n "checking for group name \"$GROUPNAME\"... " >&6; }
> --
> --# MAILMAN_GROUP == variable name
> --# $GROUPNAME == user id to check for
> --
> --
> --if test -z "$MAILMAN_GROUP"
> --then
> -- cat > conftest.py <<EOF
> --import grp
> --gid = ''
> --for group in "$GROUPNAME".split():
> -- try:
> -- try:
> -- gname = grp.getgrgid(int(group))[0]
> -- break
> -- except ValueError:
> -- gname = grp.getgrnam(group)[0]
> -- break
> -- except KeyError:
> -- gname = ''
> --fp = open("conftest.out", "w")
> --fp.write("%s\n" % gname)
> --fp.close()
> --EOF
> -- $PYTHON conftest.py
> -- MAILMAN_GROUP=`cat conftest.out`
> --fi
> --
> --rm -f conftest.out conftest.py
> --if test -z "$MAILMAN_GROUP"
> --then
> -- if test "$with_permcheck" = "yes"
> -- then
> -- as_fn_error $? "
> --***** No \"$GROUPNAME\" group found!
> --***** Your system must have a \"$GROUPNAME\" group defined
> --***** (usually in your /etc/group file). Please see the INSTALL
> --***** file for details." "$LINENO" 5
> -- fi
> --fi
> --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5
> --$as_echo "okay" >&6; }
> --
> -+MAILMAN_GROUP=$with_groupname
> -
> - { $as_echo "$as_me:${as_lineno-$LINENO}: checking permissions on
> $prefixcheck" >&5
> - $as_echo_n "checking permissions on $prefixcheck... " >&6; }
> Index: patches/patch-src_common_c
> ===================================================================
> RCS file: patches/patch-src_common_c
> diff -N patches/patch-src_common_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_common_c 4 Apr 2016 19:07:25 -0000
> @@ -0,0 +1,78 @@
> +$OpenBSD$
> +--- src/common.c.orig Sun Feb 28 15:47:44 2016
> ++++ src/common.c Sun Mar 20 16:22:35 2016
> +@@ -119,45 +119,39 @@ fatal(const char* ident, int exitcode, char* format, .
> + void
> + check_caller(const char* ident, const char* parentgroup)
> + {
> +- GID_T mygid = getgid();
> +- struct group *mygroup = getgrgid(mygid);
> +- char* option;
> +- char* server;
> ++ struct passwd *pw;
> ++ struct group *gr;
> ++ char **g;
> ++ int ok = 0;
> + char* wrapper;
> +
> +- if (running_as_cgi) {
> +- option = "--with-cgi-gid";
> +- server = "web";
> +- wrapper = "CGI";
> +- }
> +- else {
> +- option = "--with-mail-gid";
> +- server = "mail";
> +- wrapper = "mail";
> +- }
> ++ pw = getpwuid(getuid());
> ++ if (pw == NULL)
> ++ fatal(ident, USER_NAME_NOT_FOUND,
> ++ "Failure to find username");
> +
> +- if (!mygroup)
> +- fatal(ident, GROUP_NAME_NOT_FOUND,
> +- "Failure to find group name for GID %d. Mailman\n"
> +- "expected the %s wrapper to be executed as group\n"
> +- "\"%s\", but the system's %s server executed the\n"
> +- "wrapper as GID %d for which the name could not be\n"
> +- "found. Try adding GID %d to your system as
> \"%s\",\n"
> +- "or tweak your %s server to run the wrapper as
> group\n"
> +- "\"%s\".",
> +- mygid, wrapper, parentgroup, server, mygid, mygid,
> +- parentgroup, server, parentgroup);
> ++ gr = getgrnam(parentgroup);
> ++ if (gr == NULL)
> ++ fatal(ident, GROUP_NAME_NOT_FOUND,
> ++ "Failure to find \"%s\" group", parentgroup);
> +
> +- if (strcmp(parentgroup, mygroup->gr_name))
> +- fatal(ident, GROUP_MISMATCH,
> +- "Group mismatch error. Mailman expected the %s\n"
> +- "wrapper script to be executed as group \"%s\", but\n"
> +- "the system's %s server executed the %s script as\n"
> +- "group \"%s\". Try tweaking the %s server to run
> the\n"
> +- "script as group \"%s\", or re-run configure, \n"
> +- "providing the command line option `%s=%s'.",
> +- wrapper, parentgroup, server, wrapper,
> mygroup->gr_name,
> +- server, parentgroup, option, mygroup->gr_name);
> ++ for (g = gr->gr_mem; *g; g++) {
> ++ if (strcmp(pw->pw_name, *g) == 0) {
> ++ ok = 1;
> ++ break;
> ++ }
> ++ }
> ++
> ++ if (running_as_cgi)
> ++ wrapper = "CGI";
> ++ else
> ++ wrapper = "mail";
> ++
> ++ if (ok == 0)
> ++ fatal(ident, GROUP_MISMATCH,
> ++ "Group mismatch error. Mailman expected the %s\n"
> ++ "wrapper script to be executed by a member of\n"
> ++ "\"%s\" group.", wrapper, parentgroup);
> + }
> +
> +
> Index: patches/patch-src_common_h
> ===================================================================
> RCS file: patches/patch-src_common_h
> diff -N patches/patch-src_common_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_common_h 4 Apr 2016 19:07:25 -0000
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +--- src/common.h.orig Sun Mar 20 13:48:18 2016
> ++++ src/common.h Sun Mar 20 13:53:00 2016
> +@@ -27,6 +27,7 @@
> + #include <errno.h>
> + #include <sys/types.h>
> + #include <grp.h>
> ++#include <pwd.h>
> + #include <unistd.h>
> +
> + /* GETGROUPS_T gets set in the makefile by configure */
> +@@ -52,6 +53,7 @@ extern const char* logident;
> + #define MAIL_ILLEGAL_COMMAND 6
> + #define ADDALIAS_USAGE_ERROR 7
> + #define GROUP_NAME_NOT_FOUND 8
> ++#define USER_NAME_NOT_FOUND 9
> +
> + �
> + /*
> Index: pkg/DESCR
> ===================================================================
> RCS file: /cvs/ports/mail/mailman/pkg/DESCR,v
> retrieving revision 1.3
> diff -u -p -r1.3 DESCR
> --- pkg/DESCR 22 Nov 2014 22:56:42 -0000 1.3
> +++ pkg/DESCR 4 Apr 2016 19:07:25 -0000
> @@ -30,8 +30,3 @@ mailing list manager, and more:
> - An extensible mail delivery pipeline.
>
> - Support for virtual domains.
> -
> -Flavors:
> - The default flavor makes the mailwrapper run in group _smtpd, for smtpd
> - postfix - makes the mailwrapper run in group _mailman, for postfix
> - sendmail - makes the mailwrapper run in group daemon, for sendmail
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/mail/mailman/pkg/PLIST,v
> retrieving revision 1.25
> diff -u -p -r1.25 PLIST
> --- pkg/PLIST 9 Apr 2015 15:37:08 -0000 1.25
> +++ pkg/PLIST 4 Apr 2016 19:07:25 -0000
> @@ -1,6 +1,10 @@
> @comment $OpenBSD: PLIST,v 1.25 2015/04/09 15:37:08 okan Exp $
> +@pkgpath mail/mailman,postfix
> +@pkgpath mail/mailman,sendmail
> +@pkgpath mail/mailman,smtpd
> @newgroup _mailman:504
> @newuser _mailman:504:_mailman:daemon:Mailing List
> Manager:${PREFIX}/lib/mailman:/sbin/nologin
> +@newgroup _mailmanq:768
> @extraunexec rm -fr /var/spool/mailman/*
> @owner _mailman
> @group _mailman
> @@ -902,6 +906,7 @@ lib/mailman/templates/da/verify.txt
> @mode 775
> lib/mailman/templates/de/
> @mode
> +lib/mailman/templates/de/adminaddrchgack.txt
> lib/mailman/templates/de/admindbdetails.html
> lib/mailman/templates/de/admindbpreamble.html
> lib/mailman/templates/de/admindbsummary.html
> @@ -1794,9 +1799,6 @@ lib/mailman/templates/no/verify.txt
> @mode 775
> lib/mailman/templates/pl/
> @mode
> -lib/mailman/templates/pl/admindbdetails.html
> -lib/mailman/templates/pl/admindbpreamble.html
> -lib/mailman/templates/pl/admindbsummary.html
> lib/mailman/templates/pl/adminsubscribeack.txt
> lib/mailman/templates/pl/adminunsubscribeack.txt
> lib/mailman/templates/pl/admlogin.html
> @@ -1812,11 +1814,9 @@ lib/mailman/templates/pl/archtocnombox.h
> lib/mailman/templates/pl/article.html
> lib/mailman/templates/pl/bounce.txt
> lib/mailman/templates/pl/checkdbs.txt
> -lib/mailman/templates/pl/convert.txt
> lib/mailman/templates/pl/cronpass.txt
> lib/mailman/templates/pl/disabled.txt
> lib/mailman/templates/pl/emptyarchive.html
> -lib/mailman/templates/pl/headfoot.html
> lib/mailman/templates/pl/help.txt
> lib/mailman/templates/pl/invite.txt
> lib/mailman/templates/pl/listinfo.html
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/mail/mailman/pkg/README,v
> retrieving revision 1.4
> diff -u -p -r1.4 README
> --- pkg/README 19 Mar 2016 10:29:03 -0000 1.4
> +++ pkg/README 4 Apr 2016 19:07:25 -0000
> @@ -11,6 +11,8 @@ OpenBSD specific comments added. It's a
>
> 1) Final Steps for Installation
>
> +- Add your MTA and web server user to the _mailmanq group.
> +
> - Configure your web server to give $mailmandir/cgi-bin permission to
> run CGI scripts by adding
>
> @@ -175,13 +177,10 @@ system and version of Python.
> more information.
>
>
> - Problem: The mail wrapper programs are logging complaints about the
> - wrong GID.
> + Problem: The cgi and mail wrapper programs are logging complaints
> + about group mismatch.
>
> - Solution: The mail wrappers have a compiled-in GID check. Packages are
> - available for postfix/smtpd/sendmail, pkg_add will ask you which
> - to use. If you change MTA, uninstall the mailman package and
> - pkg_add a new one.
> + Solution: Add your MTA and web server user to the _mailmanq group.
>
>
> Problem: I send mail to the list, and get back mail saying,
