[Mailman-Developers] mailman and AFS?

[Harald Meland]

[Christopher Lindsey]

> Now for the tricky part.  AFS doesn't use standard UNIX permissions,
> but instead depends on ACLs (ours uses Kerberos V for authentication).
> To be able to write into the AFS space, any program or shell must
> have a valid AFS token.
> 
> I can do this by creating a "keytab" file; basically, that randomizes
> the password but lets me use it in shell scripts, etc.  I just need
> to kinit against this file, do my operations, then do a kdestroy.
> 
> Now for my questions:
> 
>    o where should I put these calls?  I'm guessing that they should be
>      in  wrapper, but do I also need to put it into every binary
>      in $prefix/cgi-bin?  It appears that way...

Both the wrapper and all the cgi-bin/* binaries use run_script() from
src/common.c for exec()ing the python script that does the job.  Off
the top of my head, I can't think of anything that needs write access
before run_script() is called.

>    o am I going to run into any locking issues with multiple email and
>      Web servers, or does mailman handle this?

If Mailmans mailingliste locking scheme works on AFS, I don't think
there should be any problems.

>      If so, how?

See the MailList.Lock() and .Unlock() methods -- they currently use
posixfile.lock().

>      AFS (like NFS) often has problems with flock() or fcntl()
>      locking (so dot-locking is the preferred method).

Changing Lock() and Unlock() should be pretty straightforward.

>    o does mailman actually do any permissions checking on files or 
>      directories?  These checks would fail in AFS

Grepping the sources for ST_MODE told me of at least one place --
OutGoingQueue.isDeferred() works by checking the setuid bit of the
queue file.  If I remember my AFS correctly, there is no SUID bit --
so you'd need to change .enqueueMessage, .isDeferred and
.deferMessage() to use some other scheme.

> Any pointers and/or answers would be appreciated. 

Good luck, and let us know how things work out!
-- 
Harald