[Mailman-Developers] mailman 2.x user/group name

Wed Feb 7 19:10:26 EST 2018

Hi all,

I noticed a conversation on the recent thread releasing 2.1.26, but
wanted to start a new thread that'll hopefully stay on-topic.

Because the mailman configure requires the user and group to exist prior
to running, as well as hard coding the actual values once run, it
becomes very hard for porters/packagers when trying to support multiple
mail servers and their respective user/group configurations (sendmail,
postfix, exim, openstmpd, etc); and additionally the various web
servers. Either we have to create a package for every combination or
come up with another solution.

What I did for the OpenBSD ports tree was to rewrite check_caller() in
src/common.c (with src/common.h addition). It allows one to set the
username, groupname, cgi-gid and mail-gid all via configure without
these having to be setup beforehand. From the log message:

- Rewrite src/common.c:check_caller() for the cgi/mail wrapper to now                               
  look at the defined group membership instead, _mailmanq (a new group).                            
  This allows the administrator to switch mail servers and web servers                              
  without requiring a FLAVOR for each combination; but rather, by simply                            
  adding the cgi/mail user to the _mailmanq group. This is a diversion                              
  from upstream, but will be proposed. At least sthen@ and dlg@ agree to                            
  go in this general direction.

Here as well:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/mail/mailman/patches/patch-src_common_c
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/mail/mailman/patches/patch-src_common_h

In the OpenBSD ports tree, configure is now run with:
	--with-username=_mailman \
	--with-groupname=_mailman \
	--with-cgi-gid=_mailmanq \
	--with-mail-gid=_mailmanq

and the admin can change/migrate mail servers as well as web servers by
just mucking with group memberships; no need to rebuild - allows mailman
to be packaged basically.

I realize now I never sent this upstream, so better late than never :)

Inline patch to src/common.[ch] to follow, hopefully in the same style
as the original.

Considerations, thoughts?

Thanks,
Okan

$OpenBSD: patch-src_common_h,v 1.1 2016/04/22 16:42:14 okan Exp $

--- src/common.h.orig	Sun Mar 20 13:48:18 2016
+++ src/common.h	Sun Mar 20 13:53:00 2016
@@ -27,6 +27,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <grp.h>
+#include <pwd.h>
 #include <unistd.h>
 
 /* GETGROUPS_T gets set in the makefile by configure */
@@ -52,6 +53,7 @@ extern const char* logident;
 #define MAIL_ILLEGAL_COMMAND 6
 #define ADDALIAS_USAGE_ERROR 7
 #define GROUP_NAME_NOT_FOUND 8
+#define USER_NAME_NOT_FOUND 9
 
 
 /*
$OpenBSD: patch-src_common_c,v 1.1 2016/04/22 16:42:14 okan Exp $
--- src/common.c.orig	Sun Feb 28 15:47:44 2016
+++ src/common.c	Sun Mar 20 16:22:35 2016
@@ -119,45 +119,39 @@ fatal(const char* ident, int exitcode, char* format, .
 void
 check_caller(const char* ident, const char* parentgroup)
 {
-        GID_T mygid = getgid();
-        struct group *mygroup = getgrgid(mygid);
-        char* option;
-        char* server;
+	struct passwd *pw;
+	struct group *gr;
+	char **g;
+	int ok = 0;
         char* wrapper;
 
-        if (running_as_cgi) {
-                option = "--with-cgi-gid";
-                server = "web";
-                wrapper = "CGI";
-        }
-        else {
-                option = "--with-mail-gid";
-                server = "mail";
-                wrapper = "mail";
-        }
+	pw = getpwuid(getuid());
+	if (pw == NULL)
+		fatal(ident, USER_NAME_NOT_FOUND,
+		      "Failure to find username");
 
-        if (!mygroup)
-                fatal(ident, GROUP_NAME_NOT_FOUND,
-                      "Failure to find group name for GID %d.  Mailman\n"
-                      "expected the %s wrapper to be executed as group\n"
-                      "\"%s\", but the system's %s server executed the\n"
-                      "wrapper as GID %d for which the name could not be\n"
-                      "found.  Try adding GID %d to your system as \"%s\",\n"
-                      "or tweak your %s server to run the wrapper as group\n"
-                      "\"%s\".",
-                      mygid, wrapper, parentgroup, server, mygid, mygid,
-                      parentgroup, server, parentgroup);
+	gr = getgrnam(parentgroup);
+	if (gr == NULL)
+		fatal(ident, GROUP_NAME_NOT_FOUND,
+		      "Failure to find \"%s\" group", parentgroup);
 
-        if (strcmp(parentgroup, mygroup->gr_name))
-                fatal(ident, GROUP_MISMATCH,
-                      "Group mismatch error.  Mailman expected the %s\n"
-                      "wrapper script to be executed as group \"%s\", but\n"
-                      "the system's %s server executed the %s script as\n"
-                      "group \"%s\".  Try tweaking the %s server to run the\n"
-                      "script as group \"%s\", or re-run configure, \n"
-                      "providing the command line option `%s=%s'.",
-                      wrapper, parentgroup, server, wrapper, mygroup->gr_name,
-                      server, parentgroup, option, mygroup->gr_name);
+	for (g = gr->gr_mem; *g; g++) {
+		if (strcmp(pw->pw_name, *g) == 0) {
+			ok = 1;
+			break;
+		}
+	}
+
+	if (running_as_cgi)
+		wrapper = "CGI";
+	else
+		wrapper = "mail";
+
+	if (ok == 0)
+		fatal(ident, GROUP_MISMATCH,
+		      "Group mismatch error.  Mailman expected the %s\n"
+		      "wrapper script to be executed by a member of\n"
+		      "\"%s\" group.", wrapper, parentgroup);
 }
 
 
