[Mailman-Users] Group mismatch error

Mark Sapiro msapiro at value.net
Thu Feb 15 06:23:29 CET 2007 

Barry Finkel wrote:
>
>The patch appears to be calling
>
>     check_caller
>
>only if the group is over 99 and not 65534, and it is calling that
>routine with a different parent group.  But the mail-wrapper.c code has
>
>     #define LEGAL_PARENT_GROUP MAIL_GROUP
>     const char* parentgroup = LEGAL_PARENT_GROUP;


It's not really different. MAIL_GROUP is defined in the 'cc' command
generated by configure with value equal to the --with-mail-gid
argument or default. Then the first line above defines
LEGAL_PARENT_GROUP with the value of MAIL_GROUP. the second line
defines parentgroup as a constant character pointer (or string) equal
to LEGAL_PARENT_GROUP. Whether check_caller is called with a second
argument of parentgroup or LEGAL_PARENT_GROUP, the result is going to
be the same although the latter may produce a compiler warning.


>I have no idea for the reasoning behind "Don't check caller gid in
>mail-wrapper", nor do I understand the reasoning for the "nobody" and
>"< 100" GID checks.  I do not know if the change to the second parameter
>of check_caller is significant.


If you didn't read
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq06.016.htp>
which I referenced previously, read it now.

In brief summary, the MTA invokes Mailman's wrapper which is SETGID and
Mailman's group ('list' in your case IIRC). Thus, the wrapper and the
scripts it calls run as group 'list' so they have the permissions they
need.

In order to prevent anyone who might have shell access to the server
from running the wrappers as commands and doing whatever they might
do, the wrapper is written to expect to be invoked by a specific group
- the group that the MTA runs it as in the case of the mail wrapper,
the group that the web server runs CGIs as in the case of the CGI
wrappers. If it is not invoked by the expected group, it refuses to
run (it dies in check_caller).


The Debian/Ubuntu patch allows any group with GID <100 in addition to
the precompiled 'expected' group, presumably on the theory that
untrusted users all have GIDs >=100 so letting any GID <100 run the
wrapper is OK.


>When I built my 2.1.9 package, I did not include any of the Debian
>patches except for one that changes two parameters in Defaults.py.in:
>
>     IMAGE_LOGOS
>     DEFAULT_URL_PATTERN
>
>What I have on my Ubuntu test system in /etc/group is:
>
>     daemon:x:1:
>     list:x:38:
>
>I have to conclude that the straight Ubuntu/Debian package installation
>was not checking the group-id because the daemon and list groups have
>ID below 100.  When I built and installed the 2.1.9 Ubuntu package
>without this patch, the Mailman code began checking the group-id and
>found a mismatch.
>
>I would appreciate it if someone would confirm my conclusions.  Thanks.


Your conclusion as I understand it is correct.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list