Thus spake Richard Barrett on Thu, Jul 01, 2004 at 06:01:50PM CDT > > On 1 Jul 2004, at 22:08, [EMAIL PROTECTED] wrote: > > >I solved this by hacking src/common.c so as to only compare the procces > >group name with parentgroup if strcmp("mailman", mygroup->gr_name) > >returns non-zero. This solves the problem, but surely there must be a > >more elegant solution. > > > > I do not grok courier but why on earth is the delivery of a message to > one list alias versus a message to another list alias done in some > different way by the MTA such that the euid/egid under which Mailman's > delivery script is executed is different? It seems to be this which is > causing the problem rather than some deficiency in Mailman's security > wrapper for its delivery script.
Courier delivers, by default, to Maildir structures in a user's filespace and the MDA process sets it's user/group to match the user/group of the delivery target. Lists are set up as virtual mail aliases. In this case, courier runs as the user/group of the virtual mail user (vmail:courier), as determined by the authentication database (or /etc/passwd) which belongs to the 'courier' group. When bounces come back to 'mailman-anything...' the MDA runs as the user/group of the mailman user. Mailman belongs to the 'mailman' group and isn't a virtual user but a real user. You have to understand how courier works, but it's entirely logical. According to Sam Varshavchik, the principle developer of courier, the user/group of the delivery process should be determined by the MySQL authentication database, however it looks as if it's being determined by the uid/gid set in /etc/passwd instead. I'm going to approach the problem from that angle and see if I can figure out what's happening and maybe get courier to set the delivery gid independent of the mailman user gid. > >>According to the mailman INSTALL document, one can configure mailman at > >>build time to accept any one > > Yes one is selected at configuration time from the options your provide > and then that one is baked into the security wrapper you have hacked. > It is not a list of option for execution time of the wrapper. OK, I misunderstood the INSTALL doc, and what you say matches the code. Thanks for the clarification. The hack I did works, although it's not elegant, and since apparently I need to solve the problem from the point of view of the MTA/MDA rather than mailman, I'll let it stand until figure out what's going on. I have lots of people depending on the list server. Opening up security so that it accepts mail from group 'mailman' as well as group 'courier' won't get me fire-bombed by the Bad Guys (not yet, anway :-) -- Lindsay Haisley | "Everything works | PGP public key FMP Computer Services | if you let it" | available at 512-259-1190 | (The Roadie) | <http://www.fmp.com/pubkeys> http://www.fmp.com | | ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/