Mark Sapiro replied to my posting about group-id mismatches, in part:
My questions are these:
1) Where is this group test being made?
In the wrapper /usr/lib/mailman/mail/mailman.My questions are these:
1) Where is this group test being made?
...
In a 'package' installation, the expected group is determined by what
ever magic the packager has resorted to to avoid having to recompile
the wrapper.
I needed to determine the "magic" involved. I have the "script" output
of my installations on Solaris and Ubuntu. I found this Debian/Ubuntu
patch
10_wrapper_uid.dpatch
that contains, in part, this change to mail-wrapper.c:
=====================================================================
--- mailman-2.1.4.orig/src/mail-wrapper.c
+++ mailman-2.1.4/src/mail-wrapper.c
@@ -74,7 +74,7 @@
fatal(logident, MAIL_ILLEGAL_COMMAND,
"Illegal command: %s", argv[1]);
- check_caller(logident, parentgroup);
+ if (getgid() >= 100 && getgid() != 65534) check_caller(logident, LEGAL_PARENT_GROUP);
/* If we got here, everything must be OK */
status = run_script(argv[1], argc, argv, env);
=====================================================================
The patch contains a similar patch to cgi-wrapper.c .
From the debian/changelog, with the oldest patch first:
-------------------------------------------mailman (1.0b7-1) unstable; urgency=low
* Don't check caller gid in mail-wrapper
-- Gergely Madarasz <gorgo at caesar.elte.hu> Fri, 8 Jan 1999 02:24:00 +0100
-------------------------------------------
mailman (2.0.3-2) unstable; urgency=low
* Applied some old patches which had got lost, including allowing the
calling of the wrapper scripts if GID == nobody or < 100. (Closes:
#36010, #89564, #89848, 89818)
-- Tollef Fog Heen <tfheen at debian.org> Wed, 14 Mar 2001 13:40:16 +0100
-------------------------------------------
From the Debian web site:
mailman (2.0.3-3) unstable; urgency=low* Mailman has supported having nobody as the CGI user for some time
(closes: #36010)
- Tollef Fog Heen <tfheen at debian.org> Fri, 16 Mar 2001 11:06:44 +0100
-------------------------------------------
There was no additional information on patches #89564, #89848, 89818.
The patch appears to be calling
check_caller
only if the group is over 99 and not 65534, and it is calling that
routine with a different parent group. But the mail-wrapper.c code has
#define LEGAL_PARENT_GROUP MAIL_GROUP
const char* parentgroup = LEGAL_PARENT_GROUP;
I have no idea for the reasoning behind "Don't check caller gid in
mail-wrapper", nor do I understand the reasoning for the "nobody" and
"< 100" GID checks. I do not know if the change to the second parameter
of check_caller is significant.
When I built my 2.1.9 package, I did not include any of the Debian
patches except for one that changes two parameters in Defaults.py.in:
IMAGE_LOGOS
DEFAULT_URL_PATTERN
What I have on my Ubuntu test system in /etc/group is:
daemon:x:1:
list:x:38:
I have to conclude that the straight Ubuntu/Debian package installation
was not checking the group-id because the daemon and list groups have
ID below 100. When I built and installed the 2.1.9 Ubuntu package
without this patch, the Mailman code began checking the group-id and
found a mismatch.
I would appreciate it if someone would confirm my conclusions. Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994