[Bug 1696066] [NEW] Postfix module - Mailman wrapper - Couldn't write data/aliases.db and data/virtual-mailman.db files

Laurent Declercq 1696066 at bugs.launchpad.net
Tue Jun 6 03:41:04 EDT 2017


Public bug reported:

Dear project leader

At least in version 2.1.23, there is a bug regarding permissions set for
Mailman data/aliases table and Mailman data/virtual-mailman map when
these files are created from scratch.

Here I describe the current behavior for the Mailman data/aliases table
only but the problem is identical for the Mailman data/virtual-mailman
map.

In order, the following conditions have to be met:

- Postfix need read access to the aliases.db file
- Mailman like to be owner of those files and the Mailman group needs write access to them

I. Postfix needs a read access to the aliases.db file

We can either set permissions as 0660 and add postfix user to mailman
group (what I've done), or set the permissions as 0664

II. Mailman group needs a write access to those files at any time

The following behavior has been observed:

When creating a new list on command line, using bin/newlist script as
follow:

    # newlist -u virtualhost foobar

the files will be created as follow:

-rw-rw---- 1 root list aliases
-rw-r----- 1 root list aliases.db

The same thing has been observed when recreating the file from scratch
using bin/genaliases:

-rw-rw---- 1 root list aliases
-rw-r----- 1 root list aliases.db

Note that in both cases, files were not present. Thus, they were created
from scratch.

As you can see here, the Mailman data/aliases table is created with the
expected group and permissions but the data/aliases.db file is only
writable by owner. From the POSTALIAS(1) command point of view, that is
the expected behavior: The file is created with the same group and other
read permissions as their source file.

The problem here is that with those permissions, creating a list through
Mailman interface later on will result in a permissions denied error
because the Mailman group, through the wrapper, cannot write (update)
the aliases.db file (no write permissions).

That is really a problem. Of course, one can just pre-create the files
as follow:

# cd /var/lib/mailman
# sg list -c "touch data/aliases && postalias data/aliases"
# chmod 0660 data/aliases*

but that seem tedious. What if at some point (for any reason), the files
get recreated from scratch?

So, from my point of view, the MTA/Postfix.py module should always set
correct permissions on resulting *.db file, after running POSTALIAS(1)
command to be sure that Mailman group has write permissions, at least
when the files are created from scratch.

Thank you.

** Affects: mailman
     Importance: Undecided
         Status: New

** Affects: mailman (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: mailman (Debian)
     Importance: Undecided
         Status: New

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these file get created from scratch and which I describe below for the
  Mailman data/aliases table only but the problem is identical for the
  Mailman data/virtual-mailman map.
  
  In order, the following conditions have to be meet:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix need read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group need write access to those files at any time
  
  Currently, the following behavior has been observed.
  
- When creating a new list on command line, using newlist as follow: '#
- newlist -u virtualhost foobar', the files will be created as follow
+ When creating a new list on command line, using newlist script as
+ follow:
+ 
+     # newlist -u virtualhost foobar
+ 
+ the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
- using bin/genaliases
+ using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
- Note that in both case, files were not present. Thus, they were created
+ Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
  the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these file get created from scratch and which I describe below for the
  Mailman data/aliases table only but the problem is identical for the
  Mailman data/virtual-mailman map.
  
  In order, the following conditions have to be meet:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
- I. Postfix need read access to the aliases.db file
+ I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
- II. Mailman group need write access to those files at any time
+ II. Mailman group needs a write access to those files at any time
  
  Currently, the following behavior has been observed.
  
  When creating a new list on command line, using newlist script as
  follow:
  
-     # newlist -u virtualhost foobar
+     # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
  the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these file get created from scratch and which I describe below for the
  Mailman data/aliases table only but the problem is identical for the
  Mailman data/virtual-mailman map.
  
  In order, the following conditions have to be meet:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
- Currently, the following behavior has been observed.
+ The following behavior has been observed:
  
  When creating a new list on command line, using newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
  the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these file get created from scratch and which I describe below for the
  Mailman data/aliases table only but the problem is identical for the
  Mailman data/virtual-mailman map.
  
  In order, the following conditions have to be meet:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
  the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *db file, after running POSTALIAS(1)
- command to be sure that Mailman group has write permissions.
+ command to be sure that Mailman group has write permissions, at least
+ when the files are create from scratch.
+ 
+ Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
- these file get created from scratch and which I describe below for the
- Mailman data/aliases table only but the problem is identical for the
- Mailman data/virtual-mailman map.
+ these files are created from scratch.
+ 
+ Here I describe the current behavior for the Mailman data/aliases table
+ only but the problem is identical for the Mailman data/virtual-mailman
+ map.
  
  In order, the following conditions have to be meet:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
  the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are create from scratch.
  
  Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
- In order, the following conditions have to be meet:
+ In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
  the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are create from scratch.
  
  Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
  In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
- The problem here is that with those permissions, creating a list through Mailman interface later on will result in a permissions denied error because
- the Mailman group, through the wrapper, cannot write (update) the aliases.db file (no write permissions).
+ The problem here is that with those permissions, creating a list through
+ Mailman interface later on will result in a permissions denied error
+ because the Mailman group, through the wrapper, cannot write (update)
+ the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
- correct permissions on resulting *db file, after running POSTALIAS(1)
+ correct permissions on resulting *.db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are create from scratch.
  
  Thank you.

** Also affects: mailman (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: mailman (Debian)
   Importance: Undecided
       Status: New

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
  In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through
  Mailman interface later on will result in a permissions denied error
  because the Mailman group, through the wrapper, cannot write (update)
  the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *.db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
- when the files are create from scratch.
+ when the files are created from scratch.
  
  Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
  In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
- When creating a new list on command line, using newlist script as
+ When creating a new list on command line, using bin/newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through
  Mailman interface later on will result in a permissions denied error
  because the Mailman group, through the wrapper, cannot write (update)
  the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *.db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are created from scratch.
  
  Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
  In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using bin/newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through
  Mailman interface later on will result in a permissions denied error
  because the Mailman group, through the wrapper, cannot write (update)
  the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
- # chmod 0660 data/aliases
+ # chmod 0660 data/aliases.db
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *.db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are created from scratch.
  
  Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
  In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
  group or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using bin/newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through
  Mailman interface later on will result in a permissions denied error
  because the Mailman group, through the wrapper, cannot write (update)
  the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
- # chmod 0660 data/aliases.db
+ # chmod 0660 data/aliases*
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *.db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are created from scratch.
  
  Thank you.

** Description changed:

  Dear project leader
  
  At least in version 2.1.23, there is a bug regarding permissions set for
  Mailman data/aliases table and Mailman data/virtual-mailman map when
  these files are created from scratch.
  
  Here I describe the current behavior for the Mailman data/aliases table
  only but the problem is identical for the Mailman data/virtual-mailman
  map.
  
  In order, the following conditions have to be met:
  
  - Postfix need read access to the aliases.db file
  - Mailman like to be owner of those files and the Mailman group needs write access to them
  
  I. Postfix needs a read access to the aliases.db file
  
  We can either set permissions as 0660 and add postfix user to mailman
- group or set the permissions as 0664
+ group (what I've done), or set the permissions as 0664
  
  II. Mailman group needs a write access to those files at any time
  
  The following behavior has been observed:
  
  When creating a new list on command line, using bin/newlist script as
  follow:
  
      # newlist -u virtualhost foobar
  
  the files will be created as follow:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  The same thing has been observed when recreating the file from scratch
  using bin/genaliases:
  
  -rw-rw---- 1 root list aliases
  -rw-r----- 1 root list aliases.db
  
  Note that in both cases, files were not present. Thus, they were created
  from scratch.
  
  As you can see here, the Mailman data/aliases table is created with the
  expected group and permissions but the data/aliases.db file is only
  writable by owner. From the POSTALIAS(1) command point of view, that is
  the expected behavior: The file is created with the same group and other
  read permissions as their source file.
  
  The problem here is that with those permissions, creating a list through
  Mailman interface later on will result in a permissions denied error
  because the Mailman group, through the wrapper, cannot write (update)
  the aliases.db file (no write permissions).
  
  That is really a problem. Of course, one can just pre-create the files
  as follow:
  
  # cd /var/lib/mailman
  # sg list -c "touch data/aliases && postalias data/aliases"
  # chmod 0660 data/aliases*
  
  but that seem tedious. What if at some point (for any reason), the files
  get recreated from scratch?
  
  So, from my point of view, the MTA/Postfix.py module should always set
  correct permissions on resulting *.db file, after running POSTALIAS(1)
  command to be sure that Mailman group has write permissions, at least
  when the files are created from scratch.
  
  Thank you.

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1696066

Title:
  Postfix module - Mailman wrapper - Couldn't write data/aliases.db and
  data/virtual-mailman.db files

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1696066/+subscriptions


More information about the Mailman-coders mailing list