On 02/07/2018 01:38 PM, Sebastian Hagedorn wrote:
Hm, part of that was an artifact of running configure manually instead of using the SPEC file I usually use to build Mailman. With the latter and my "fix" I get the following:
$ mailman-config Configuration and build information for Mailman
Mailman version: 2.1.26 Build Date: Wed Feb 7 13:23:45 CET 2018
prefix: /usr/lib/mailman var_prefix: /var/lib/mailman mailman_user: mailman mailman_group: mailman mail_group: mail postfix mailman nobody daemon cgi_group: apache
configure_opts: "--prefix=/usr/lib/mailman --with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman --with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman --with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman --with-python=/usr/bin/python2.7 --with-mail-gid=mail postfix mailman nobody daemon --with-cgi-id=apache --with-cgi-gid=apache --with-mailhost=localhost.localdomain --with-urlhost=localhost.localdomain --without-permcheck"
So it's still using --without-permcheck, but the other options are there.
When I run that command without having made any changes in the unpacked tarball on a machine without a 'mailman' user, but with a 'mail' group, I get this from configure
configure: WARNING: unrecognized options: --with-config-dir, --with-lock-dir, --with-log-dir, --with-pid-dir, --with-queue-dir, --with-cgi-id
This is expected because those options to configure were added by RedHat as part of their FHS compliance patch. See <https://wiki.list.org/x/8486953> and <https://mail.python.org/pipermail/mailman-developers/2004-October/017343.htm...>
I get this from the bin/mailman-config command
Configuration and build information for Mailman
Mailman version: 2.1.26 Build Date: Wed Feb 7 14:19:11 PST 2018
prefix: /usr/lib/mailman var_prefix: /var/lib/mailman mailman_user: mailman_group: mail_group: mail cgi_group: apache
configure_opts: "--prefix=/usr/lib/mailman --with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman --with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman --with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman --with-python=/usr/bin/python2.7 --with-mail-gid=mail postfix mailman nobody daemon --with-cgi-id=apache --with-cgi-gid=apache --with-mailhost=localhost.localdomain --with-urlhost=localhost.localdomain --without-permcheck"
The empty mailman_user and mailman_group is because there is no 'mailman' user/group on the system I ran it on and the fact that I get mail_group = 'mail' rather than 'mail postfix mailman nobody daemon' is because there is a 'mail' group (it picks the first group that exists from that list and only yields the whole list as the result if none exist.
I suspect that your actual configure command options rather than the ones reported by your bin/mailman-config are something like
--prefix=/usr/lib/mailman --with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman --with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman --with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman --with-python=/usr/bin/python2.7 --with-mail-gid='"mail postfix mailman nobody daemon"' --with-cgi-id=apache --with-cgi-gid=\"apache\" --with-mailhost=localhost.localdomain --with-urlhost=localhost.localdomain --without-permcheck
and that's where the extraneous quotes are coming from. I think the passing of a list to --with-mail-gid relies on another RedHat modification to the mail wrapper to be able to dynamically configure the mail group and not build it in to the RPM.
The question is what are you trying to do.
If you just want to build a working Mailman 2.1.26 installation, I suggest removing the --with-config-dir, --with-lock-dir, --with-log-dir, --with-pid-dir, --with-queue-dir, --with-cgi-id options and setting --with-mail-gid and --with-cgi-gid to the appropriate single groups without any quotes.
If you are trying to build a RHEL FHS compliant Mailman, start by porting the patch in the attachment to <https://mail.python.org/pipermail/mailman-developers/2004-October/017343.htm...> and applying it, running autoconf to regenerate configure from configure.in and take any resultant issues to RedHat. Note, the last I knew, John Dennis was still at RedHat, but was no longer working with Mailman, but that was a long time ago. In case it isn't obvious, I recommend the first approach.
If you're just trying to fix CVE-2018-5950, just apply the patch attached to <https://bugs.launchpad.net/mailman/+bug/1747209>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan