Now for the tricky part. AFS doesn't use standard UNIX permissions, but instead depends on ACLs (ours uses Kerberos V for authentication). To be able to write into the AFS space, any program or shell must have a valid AFS token.
I can do this by creating a "keytab" file; basically, that randomizes the password but lets me use it in shell scripts, etc. I just need to kinit against this file, do my operations, then do a kdestroy.
Now for my questions:
o where should I put these calls? I'm guessing that they should be in wrapper, but do I also need to put it into every binary in $prefix/cgi-bin? It appears that way...
Both the wrapper and all the cgi-bin/* binaries use run_script() from src/common.c for exec()ing the python script that does the job. Off the top of my head, I can't think of anything that needs write access before run_script() is called.
o am I going to run into any locking issues with multiple email and Web servers, or does mailman handle this?
If Mailmans mailingliste locking scheme works on AFS, I don't think there should be any problems.
If so, how?
See the MailList.Lock() and .Unlock() methods -- they currently use posixfile.lock().
AFS (like NFS) often has problems with flock() or fcntl() locking (so dot-locking is the preferred method).
Changing Lock() and Unlock() should be pretty straightforward.
o does mailman actually do any permissions checking on files or directories? These checks would fail in AFS
Grepping the sources for ST_MODE told me of at least one place -- OutGoingQueue.isDeferred() works by checking the setuid bit of the queue file. If I remember my AFS correctly, there is no SUID bit -- so you'd need to change .enqueueMessage, .isDeferred and .deferMessage() to use some other scheme.
Any pointers and/or answers would be appreciated.
Good luck, and let us know how things work out!