Mark Sapiro replied to my posting about group-id mismatches, in part:

My questions are these:

1) Where is this group test being made?
In the wrapper /usr/lib/mailman/mail/mailman.


In a 'package' installation, the expected group is determined by what
ever magic the packager has resorted to to avoid having to recompile
the wrapper.
I was looking at this wrapper executable and how it is compiled.
I needed to determine the "magic" involved. I have the "script" output
of my installations on Solaris and Ubuntu. I found this Debian/Ubuntu


that contains, in part, this change to mail-wrapper.c:

--- mailman-2.1.4.orig/src/mail-wrapper.c
+++ mailman-2.1.4/src/mail-wrapper.c
@@ -74,7 +74,7 @@
fatal(logident, MAIL_ILLEGAL_COMMAND,
"Illegal command: %s", argv[1]);

- check_caller(logident, parentgroup);
+ if (getgid() >= 100 && getgid() != 65534) check_caller(logident, LEGAL_PARENT_GROUP);

/* If we got here, everything must be OK */
status = run_script(argv[1], argc, argv, env);

The patch contains a similar patch to cgi-wrapper.c .
From the debian/changelog, with the oldest patch first:
mailman (1.0b7-1) unstable; urgency=low

* Don't check caller gid in mail-wrapper

-- Gergely Madarasz <gorgo at caesar.elte.hu> Fri, 8 Jan 1999 02:24:00 +0100
mailman (2.0.3-2) unstable; urgency=low

* Applied some old patches which had got lost, including allowing the
calling of the wrapper scripts if GID == nobody or < 100. (Closes:
#36010, #89564, #89848, 89818)

-- Tollef Fog Heen <tfheen at debian.org> Wed, 14 Mar 2001 13:40:16 +0100
From the Debian web site:
mailman (2.0.3-3) unstable; urgency=low

* Mailman has supported having nobody as the CGI user for some time
(closes: #36010)

- Tollef Fog Heen <tfheen at debian.org> Fri, 16 Mar 2001 11:06:44 +0100

There was no additional information on patches #89564, #89848, 89818.

The patch appears to be calling


only if the group is over 99 and not 65534, and it is calling that
routine with a different parent group. But the mail-wrapper.c code has

const char* parentgroup = LEGAL_PARENT_GROUP;

I have no idea for the reasoning behind "Don't check caller gid in
mail-wrapper", nor do I understand the reasoning for the "nobody" and
"< 100" GID checks. I do not know if the change to the second parameter
of check_caller is significant.

When I built my 2.1.9 package, I did not include any of the Debian
patches except for one that changes two parameters in Defaults.py.in:


What I have on my Ubuntu test system in /etc/group is:


I have to conclude that the straight Ubuntu/Debian package installation
was not checking the group-id because the daemon and list groups have
ID below 100. When I built and installed the 2.1.9 Ubuntu package
without this patch, the Mailman code began checking the group-id and
found a mismatch.

I would appreciate it if someone would confirm my conclusions. Thanks.
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994

Search Discussions

Discussion Posts


Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 3 | next ›
Discussion Overview
groupmailman-users @
postedFeb 5, '07 at 7:44p
activeFeb 14, '07 at 9:06p

1 user in discussion

Barry Finkel: 3 posts



site design / logo © 2023 Grokbase