On Mon 2016.04.04 at 15:22 -0400, Okan Demirmen wrote: > On Wed 2016.03.23 at 13:27 +0000, Stuart Henderson wrote: > > On 2016/03/23 08:48, Okan Demirmen wrote: > > > I believe the cgi/mail wrapper check could actually look at the defined > > > group membership instead. > > > > Oh this is a much better approach. I was considering rewriting the check > > to allow any one of a hardcoded list, but that's a much better idea. > > > > I'm not using mailman myself but think this is a good way to do it. > > dlg's comment to was use another group, _mailmanq; with that, here's an > updated diff to go in the cgi/mail wrapper rewrite direction with a new > group (of course mail/Makefile to be updated as well). > > Summary: > - update to 2.1.21 > - remove configure patch: hasn't been required since introducing > --without-permcheck in configure > - some of Defaults.py are now upstream defaults. > - rewrite cgi/mail wrapper (check_caller()) to check calling uid > against --with-cgi-gid/--with-mail-gid defined group. > - no longer requires a FLAVOR for each mail/web server. > > Thanks, > Okan
Perhaps not many (any?) mailman users but myself and dlg@...maybe another porter's point-of-view for sanity's sake :) Otherwise, I'll move ahead. Thanks! Okan > Index: user.list > =================================================================== > RCS file: /cvs/ports/infrastructure/db/user.list,v > retrieving revision 1.264 > diff -u -p -r1.264 user.list > --- user.list 4 Apr 2016 12:05:37 -0000 1.264 > +++ user.list 4 Apr 2016 19:07:36 -0000 > @@ -276,3 +276,4 @@ id user group port options > 765 _hedgewars _hedgewars games/hedgewars > 766 _kibana _kibana www/kibana > 767 _squeezelite _squeezelite audio/squeezelite > +768 _mailmanq mail/mailman > Index: Makefile > =================================================================== > RCS file: /cvs/ports/mail/mailman/Makefile,v > retrieving revision 1.83 > diff -u -p -r1.83 Makefile > --- Makefile 19 Mar 2016 10:31:44 -0000 1.83 > +++ Makefile 4 Apr 2016 19:07:25 -0000 > @@ -2,8 +2,7 @@ > > COMMENT= mailing list manager with web interface > > -DISTNAME= mailman-2.1.20 > -REVISION= 0 > +DISTNAME= mailman-2.1.21 > CATEGORIES= mail www > > HOMEPAGE= https://www.gnu.org/software/mailman/ > @@ -32,8 +31,6 @@ FAKE_FLAGS= DIRSETGID=":" > > # gnu still breaks the paths as prefix is actually mailman's home > CONFIGURE_STYLE= simple > -# do not use --without-permcheck as this requires the mailman user and group > -# to exist, otherwise there will be problems running mailman > CONFIGURE_ARGS+= --prefix='${MMHOME}' \ > --with-mailhost=localhost.my.domain \ > --with-python=${MODPY_BIN} \ > @@ -41,19 +38,9 @@ CONFIGURE_ARGS+= --prefix='${MMHOME}' \ > --with-var-prefix='${MMSPOOL}' \ > --without-permcheck \ > --with-username=_mailman \ > - --with-groupname=_mailman > - > -FLAVORS= smtpd postfix sendmail > -FLAVOR?= smtpd > -.if ${FLAVOR:Mpostfix} > -CONFIGURE_ARGS+=--with-mail-gid=_mailman > -.elif ${FLAVOR:Msendmail} > -CONFIGURE_ARGS+=--with-mail-gid=daemon > -.elif ${FLAVOR:Msmtpd} > -CONFIGURE_ARGS+=--with-mail-gid=_smtpd > -.else > -ERRORS+="Fatal: a flavor (smtpd, postfix, sendmail) must be specified" > -.endif > + --with-groupname=_mailman \ > + --with-cgi-gid=_mailmanq \ > + --with-mail-gid=_mailmanq > > SCRIPTS= Mailman/Archiver/pipermail.py \ > Mailman/Post.py \ > Index: distinfo > =================================================================== > RCS file: /cvs/ports/mail/mailman/distinfo,v > retrieving revision 1.23 > diff -u -p -r1.23 distinfo > --- distinfo 9 Apr 2015 15:37:08 -0000 1.23 > +++ distinfo 4 Apr 2016 19:07:25 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (mailman-2.1.20.tgz) = UiwrXFq5E5j9+UmolhFiwxT2MjzRv+uQfg+y2IJ3cR8= > -SIZE (mailman-2.1.20.tgz) = 9204867 > +SHA256 (mailman-2.1.21.tgz) = /tM6GBVN6qToGiB5jIFEhe1LLl2LQs9tPVWGf/T3CEM= > +SIZE (mailman-2.1.21.tgz) = 9266286 > Index: patches/patch-Mailman_Defaults_py_in > =================================================================== > RCS file: /cvs/ports/mail/mailman/patches/patch-Mailman_Defaults_py_in,v > retrieving revision 1.13 > diff -u -p -r1.13 patch-Mailman_Defaults_py_in > --- patches/patch-Mailman_Defaults_py_in 9 Apr 2015 15:37:08 -0000 > 1.13 > +++ patches/patch-Mailman_Defaults_py_in 4 Apr 2016 19:07:25 -0000 > @@ -1,27 +1,12 @@ > $OpenBSD: patch-Mailman_Defaults_py_in,v 1.13 2015/04/09 15:37:08 okan Exp $ > ---- Mailman/Defaults.py.in.orig Sat Feb 28 11:41:04 2015 > -+++ Mailman/Defaults.py.in Sun Mar 22 11:55:07 2015 > -@@ -539,7 +539,22 @@ SMTPPORT = 0 # de > +--- Mailman/Defaults.py.in.orig Sun Feb 28 15:47:44 2016 > ++++ Mailman/Defaults.py.in Sun Mar 20 11:21:13 2016 > +@@ -554,7 +554,7 @@ SMTPPORT = 0 # de > > # Command for direct command pipe delivery to sendmail compatible program, > # when DELIVERY_MODULE is 'Sendmail'. > -SENDMAIL_CMD = '/usr/lib/sendmail' > +SENDMAIL_CMD = '/usr/sbin/sendmail' > -+ > -+# Specify the type of passwords to use, when Mailman generates the passwords > -+# itself, as would be the case for membership requests where the user did > not > -+# fill in a password, or during list creation, when auto-generation of admin > -+# passwords was selected. > -+# > -+# Set this value to Yes for classic Mailman user-friendly(er) passwords. > -+# These generate semi-pronounceable passwords which are easier to remember. > -+# Set this value to No to use more cryptographically secure, but harder to > -+# remember, passwords -- if your operating system and Python version support > -+# the necessary feature (specifically that /dev/urandom be available). > -+USER_FRIENDLY_PASSWORDS = Yes > -+ > -+# This value specifies the default lengths of member passwords > -+MEMBER_PASSWORD_LENGTH = 8 > > # Set these variables if you need to authenticate to your NNTP server for > # Usenet posting or reading. If no authentication is necessary, specify > None > Index: patches/patch-configure > =================================================================== > RCS file: patches/patch-configure > diff -N patches/patch-configure > --- patches/patch-configure 9 Apr 2015 15:37:08 -0000 1.11 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,115 +0,0 @@ > -$OpenBSD: patch-configure,v 1.11 2015/04/09 15:37:08 okan Exp $ > ---- configure.orig Tue May 6 12:43:56 2014 > -+++ configure Sun Jan 11 10:37:11 2015 > -@@ -3543,54 +3543,8 @@ USERNAME=$with_username > - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USERNAME" >&5 > - $as_echo "$USERNAME" >&6; } > - > --# User `mailman' must exist > -+MAILMAN_USER=$with_username > - > --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for user name > \"$USERNAME\"" >&5 > --$as_echo_n "checking for user name \"$USERNAME\"... " >&6; } > -- > --# MAILMAN_USER == variable name > --# $USERNAME == user id to check for > -- > -- > --if test -z "$MAILMAN_USER" > --then > -- cat > conftest.py <<EOF > --import pwd > --uid = '' > --for user in "$USERNAME".split(): > -- try: > -- try: > -- uname = pwd.getpwuid(int(user))[0] > -- break > -- except ValueError: > -- uname = pwd.getpwnam(user)[0] > -- break > -- except KeyError: > -- uname = '' > --fp = open("conftest.out", "w") > --fp.write("%s\n" % uname) > --fp.close() > --EOF > -- $PYTHON conftest.py > -- MAILMAN_USER=`cat conftest.out` > --fi > -- > --rm -f conftest.out conftest.py > --if test -z "$MAILMAN_USER" > --then > -- if test "$with_permcheck" = "yes" > -- then > -- as_fn_error $? " > --***** No \"$USERNAME\" user found! > --***** Your system must have a \"$USERNAME\" user defined > --***** (usually in your /etc/passwd file). Please see the INSTALL > --***** file for details." "$LINENO" 5 > -- fi > --fi > --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5 > --$as_echo "okay" >&6; } > -- > -- > - # Check for some other gid to use than `mailman' > - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-groupname" >&5 > - $as_echo_n "checking for --with-groupname... " >&6; } > -@@ -3609,54 +3563,7 @@ GROUPNAME=$with_groupname > - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GROUPNAME" >&5 > - $as_echo "$GROUPNAME" >&6; } > - > -- > --# Target group must exist > -- > --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for group name > \"$GROUPNAME\"" >&5 > --$as_echo_n "checking for group name \"$GROUPNAME\"... " >&6; } > -- > --# MAILMAN_GROUP == variable name > --# $GROUPNAME == user id to check for > -- > -- > --if test -z "$MAILMAN_GROUP" > --then > -- cat > conftest.py <<EOF > --import grp > --gid = '' > --for group in "$GROUPNAME".split(): > -- try: > -- try: > -- gname = grp.getgrgid(int(group))[0] > -- break > -- except ValueError: > -- gname = grp.getgrnam(group)[0] > -- break > -- except KeyError: > -- gname = '' > --fp = open("conftest.out", "w") > --fp.write("%s\n" % gname) > --fp.close() > --EOF > -- $PYTHON conftest.py > -- MAILMAN_GROUP=`cat conftest.out` > --fi > -- > --rm -f conftest.out conftest.py > --if test -z "$MAILMAN_GROUP" > --then > -- if test "$with_permcheck" = "yes" > -- then > -- as_fn_error $? " > --***** No \"$GROUPNAME\" group found! > --***** Your system must have a \"$GROUPNAME\" group defined > --***** (usually in your /etc/group file). Please see the INSTALL > --***** file for details." "$LINENO" 5 > -- fi > --fi > --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: okay" >&5 > --$as_echo "okay" >&6; } > -- > -+MAILMAN_GROUP=$with_groupname > - > - { $as_echo "$as_me:${as_lineno-$LINENO}: checking permissions on > $prefixcheck" >&5 > - $as_echo_n "checking permissions on $prefixcheck... " >&6; } > Index: patches/patch-src_common_c > =================================================================== > RCS file: patches/patch-src_common_c > diff -N patches/patch-src_common_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_common_c 4 Apr 2016 19:07:25 -0000 > @@ -0,0 +1,78 @@ > +$OpenBSD$ > +--- src/common.c.orig Sun Feb 28 15:47:44 2016 > ++++ src/common.c Sun Mar 20 16:22:35 2016 > +@@ -119,45 +119,39 @@ fatal(const char* ident, int exitcode, char* format, . > + void > + check_caller(const char* ident, const char* parentgroup) > + { > +- GID_T mygid = getgid(); > +- struct group *mygroup = getgrgid(mygid); > +- char* option; > +- char* server; > ++ struct passwd *pw; > ++ struct group *gr; > ++ char **g; > ++ int ok = 0; > + char* wrapper; > + > +- if (running_as_cgi) { > +- option = "--with-cgi-gid"; > +- server = "web"; > +- wrapper = "CGI"; > +- } > +- else { > +- option = "--with-mail-gid"; > +- server = "mail"; > +- wrapper = "mail"; > +- } > ++ pw = getpwuid(getuid()); > ++ if (pw == NULL) > ++ fatal(ident, USER_NAME_NOT_FOUND, > ++ "Failure to find username"); > + > +- if (!mygroup) > +- fatal(ident, GROUP_NAME_NOT_FOUND, > +- "Failure to find group name for GID %d. Mailman\n" > +- "expected the %s wrapper to be executed as group\n" > +- "\"%s\", but the system's %s server executed the\n" > +- "wrapper as GID %d for which the name could not be\n" > +- "found. Try adding GID %d to your system as > \"%s\",\n" > +- "or tweak your %s server to run the wrapper as > group\n" > +- "\"%s\".", > +- mygid, wrapper, parentgroup, server, mygid, mygid, > +- parentgroup, server, parentgroup); > ++ gr = getgrnam(parentgroup); > ++ if (gr == NULL) > ++ fatal(ident, GROUP_NAME_NOT_FOUND, > ++ "Failure to find \"%s\" group", parentgroup); > + > +- if (strcmp(parentgroup, mygroup->gr_name)) > +- fatal(ident, GROUP_MISMATCH, > +- "Group mismatch error. Mailman expected the %s\n" > +- "wrapper script to be executed as group \"%s\", but\n" > +- "the system's %s server executed the %s script as\n" > +- "group \"%s\". Try tweaking the %s server to run > the\n" > +- "script as group \"%s\", or re-run configure, \n" > +- "providing the command line option `%s=%s'.", > +- wrapper, parentgroup, server, wrapper, > mygroup->gr_name, > +- server, parentgroup, option, mygroup->gr_name); > ++ for (g = gr->gr_mem; *g; g++) { > ++ if (strcmp(pw->pw_name, *g) == 0) { > ++ ok = 1; > ++ break; > ++ } > ++ } > ++ > ++ if (running_as_cgi) > ++ wrapper = "CGI"; > ++ else > ++ wrapper = "mail"; > ++ > ++ if (ok == 0) > ++ fatal(ident, GROUP_MISMATCH, > ++ "Group mismatch error. Mailman expected the %s\n" > ++ "wrapper script to be executed by a member of\n" > ++ "\"%s\" group.", wrapper, parentgroup); > + } > + > + > Index: patches/patch-src_common_h > =================================================================== > RCS file: patches/patch-src_common_h > diff -N patches/patch-src_common_h > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_common_h 4 Apr 2016 19:07:25 -0000 > @@ -0,0 +1,19 @@ > +$OpenBSD$ > +--- src/common.h.orig Sun Mar 20 13:48:18 2016 > ++++ src/common.h Sun Mar 20 13:53:00 2016 > +@@ -27,6 +27,7 @@ > + #include <errno.h> > + #include <sys/types.h> > + #include <grp.h> > ++#include <pwd.h> > + #include <unistd.h> > + > + /* GETGROUPS_T gets set in the makefile by configure */ > +@@ -52,6 +53,7 @@ extern const char* logident; > + #define MAIL_ILLEGAL_COMMAND 6 > + #define ADDALIAS_USAGE_ERROR 7 > + #define GROUP_NAME_NOT_FOUND 8 > ++#define USER_NAME_NOT_FOUND 9 > + > + > + /* > Index: pkg/DESCR > =================================================================== > RCS file: /cvs/ports/mail/mailman/pkg/DESCR,v > retrieving revision 1.3 > diff -u -p -r1.3 DESCR > --- pkg/DESCR 22 Nov 2014 22:56:42 -0000 1.3 > +++ pkg/DESCR 4 Apr 2016 19:07:25 -0000 > @@ -30,8 +30,3 @@ mailing list manager, and more: > - An extensible mail delivery pipeline. > > - Support for virtual domains. > - > -Flavors: > - The default flavor makes the mailwrapper run in group _smtpd, for smtpd > - postfix - makes the mailwrapper run in group _mailman, for postfix > - sendmail - makes the mailwrapper run in group daemon, for sendmail > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/mail/mailman/pkg/PLIST,v > retrieving revision 1.25 > diff -u -p -r1.25 PLIST > --- pkg/PLIST 9 Apr 2015 15:37:08 -0000 1.25 > +++ pkg/PLIST 4 Apr 2016 19:07:25 -0000 > @@ -1,6 +1,10 @@ > @comment $OpenBSD: PLIST,v 1.25 2015/04/09 15:37:08 okan Exp $ > +@pkgpath mail/mailman,postfix > +@pkgpath mail/mailman,sendmail > +@pkgpath mail/mailman,smtpd > @newgroup _mailman:504 > @newuser _mailman:504:_mailman:daemon:Mailing List > Manager:${PREFIX}/lib/mailman:/sbin/nologin > +@newgroup _mailmanq:768 > @extraunexec rm -fr /var/spool/mailman/* > @owner _mailman > @group _mailman > @@ -902,6 +906,7 @@ lib/mailman/templates/da/verify.txt > @mode 775 > lib/mailman/templates/de/ > @mode > +lib/mailman/templates/de/adminaddrchgack.txt > lib/mailman/templates/de/admindbdetails.html > lib/mailman/templates/de/admindbpreamble.html > lib/mailman/templates/de/admindbsummary.html > @@ -1794,9 +1799,6 @@ lib/mailman/templates/no/verify.txt > @mode 775 > lib/mailman/templates/pl/ > @mode > -lib/mailman/templates/pl/admindbdetails.html > -lib/mailman/templates/pl/admindbpreamble.html > -lib/mailman/templates/pl/admindbsummary.html > lib/mailman/templates/pl/adminsubscribeack.txt > lib/mailman/templates/pl/adminunsubscribeack.txt > lib/mailman/templates/pl/admlogin.html > @@ -1812,11 +1814,9 @@ lib/mailman/templates/pl/archtocnombox.h > lib/mailman/templates/pl/article.html > lib/mailman/templates/pl/bounce.txt > lib/mailman/templates/pl/checkdbs.txt > -lib/mailman/templates/pl/convert.txt > lib/mailman/templates/pl/cronpass.txt > lib/mailman/templates/pl/disabled.txt > lib/mailman/templates/pl/emptyarchive.html > -lib/mailman/templates/pl/headfoot.html > lib/mailman/templates/pl/help.txt > lib/mailman/templates/pl/invite.txt > lib/mailman/templates/pl/listinfo.html > Index: pkg/README > =================================================================== > RCS file: /cvs/ports/mail/mailman/pkg/README,v > retrieving revision 1.4 > diff -u -p -r1.4 README > --- pkg/README 19 Mar 2016 10:29:03 -0000 1.4 > +++ pkg/README 4 Apr 2016 19:07:25 -0000 > @@ -11,6 +11,8 @@ OpenBSD specific comments added. It's a > > 1) Final Steps for Installation > > +- Add your MTA and web server user to the _mailmanq group. > + > - Configure your web server to give $mailmandir/cgi-bin permission to > run CGI scripts by adding > > @@ -175,13 +177,10 @@ system and version of Python. > more information. > > > - Problem: The mail wrapper programs are logging complaints about the > - wrong GID. > + Problem: The cgi and mail wrapper programs are logging complaints > + about group mismatch. > > - Solution: The mail wrappers have a compiled-in GID check. Packages are > - available for postfix/smtpd/sendmail, pkg_add will ask you which > - to use. If you change MTA, uninstall the mailman package and > - pkg_add a new one. > + Solution: Add your MTA and web server user to the _mailmanq group. > > > Problem: I send mail to the list, and get back mail saying,