[Mailman-Users] The Dreaded Group Mismatch Error

[Mark Sapiro]

On 4/26/2010 9:47 AM, Lindsay Haisley wrote:
> 
> I'm not entirely sure of the difference between the --with-groupname and
> --with-group-gid, both of which accept a name but have different
> functions.  I do know that for my server distribution (gentoo Linux)
> it's essential that the environment setting which controls the
> --with-mail-gid configuration setting match the mail group which the MTA
> runs as.


--with-groupname set's Mailman's group. This is the group of the files
and directories in Mailman's file tree, and is the group that is able to
run mailman's bin commands successfully and access Mailman's Python api.
It is the group the qrunners run as.

Because you don't want to give the web server user/group and the MTA
user/group the ability to access this stuff directly for security
reasons, the web server and MTA access Mailman through compiled SETGID
wrappers that set the effective GID to Mailman's group (as set by
--with-groupname). As an additional security check, these wrappers are
compiled to expect to be invoked by a particular group and will issue
the group mismatch error if invoked by some other group. The expected
MTA group is set by --with-mail-gid and the expected web server group by
--with-cgi-gid.

See the FAQ at <http://wiki.list.org/x/tYA9> for more. The FAQ refers to
Mailman's group as 'mailman' which is the default, but can be changed by
the --with-groupname option to configure.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan