[ mailman-Patches-671300 ] allow more than one user group to be
specified
SourceForge.net
noreply at sourceforge.net
Mon Jan 20 10:44:51 EST 2003
Patches item #671300, was opened at 2003-01-20 13:44
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=671300&group_id=103
Category: cross platform
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: John Dennis (johndennis)
Assigned to: Nobody/Anonymous (nobody)
Summary: allow more than one user group to be specified
Initial Comment:
Mailman security is in part enforced by requiring it
execute
SGID. When the mail process or the web server attempts
to execute a
mailman script a C program is invoked to verify the group
permission. Mailman as it is shipped only allows one
group to be
specified at build time. For users who build and
install on their own
machine this is not a limitation. However, when making
a binary
package to be installed on an arbitrary machine it is
hard to predict
the correct group to use for that installation.
Therefore this patch
allows us to specify at build time a list of groups
that will be
iterated over, if the mailman process is executing as
any of one of
the group in the set of groups then the permission
check passes. Since
the groups we build with are limited to a small number
of safe groups
this does not lower the security much while at the same
time provides
a much more friendly way to package a binary
installation that will
run in a wider range of installations.
It was necessary to add the macro MM_FIND_GROUP_LIST to the
configure.in file replacing the original use of
MM_FIND_GROUP_NAME,
the former operates on a list of group names while the
later on a
single name. MM_FIND_GROUP_LIST includes a filter
parameter that was
added with the notion of supporting the with-permcheck
option. If
filter is true then only group names that exist on the
build machine
are permitted in the list, otherwise all names are
permitted. However,
note that whenever MM_FIND_GROUP_LIST is invoked it is
currently
hardcoded to disable filtering and is not tied to
with-permcheck, this
was done because of the observation that if one is
passing a list of
groups it is likely one is doing so to support
installations that have
a group not present on the build machine, but one might
still want to
take advantage of the other with-permcheck functionality.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=671300&group_id=103
More information about the Mailman-coders
mailing list