[Mailman-Developers] Mailman 2.1.26 Security release Feb 4, 2018

Sebastian Hagedorn Hagedorn at uni-koeln.de
Thu Feb 8 05:32:39 EST 2018 

Thank you for this detailed analysis that goes far above and beyond what 
one can reasonably expect! I did not expect the issue to be caused by the 
patches specific to Red Hat, otherwise I wouldn't have bothered you with 
this.

--On 7. Februar 2018 um 15:22:24 -0800 Mark Sapiro <mark at msapiro.net> wrote:

> On 02/07/2018 01:38 PM, Sebastian Hagedorn wrote:
>>
>> Hm, part of that was an artifact of running configure manually instead
>> of using the SPEC file I usually use to build Mailman. With the latter
>> and my "fix" I get the following:
>>
>> $ mailman-config
>> Configuration and build information for Mailman
>>
>> Mailman version: 2.1.26
>> Build Date:      Wed Feb  7 13:23:45 CET 2018
>>
>> prefix:          /usr/lib/mailman
>> var_prefix:      /var/lib/mailman
>> mailman_user:    mailman
>> mailman_group:   mailman
>> mail_group:      mail postfix mailman nobody daemon
>> cgi_group:       apache
>>
>> configure_opts: "--prefix=/usr/lib/mailman
>> --with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman
>> --with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman
>> --with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman
>> --with-python=/usr/bin/python2.7 --with-mail-gid=mail postfix mailman
>> nobody daemon --with-cgi-id=apache --with-cgi-gid=apache
>> --with-mailhost=localhost.localdomain
>> --with-urlhost=localhost.localdomain --without-permcheck"
>>
>> So it's still using --without-permcheck, but the other options are there.
>
>
> When I run that command without having made any changes in the unpacked
> tarball on a machine without a 'mailman' user, but with a 'mail' group,
> I get this from configure
>
> configure: WARNING: unrecognized options: --with-config-dir,
> --with-lock-dir, --with-log-dir, --with-pid-dir, --with-queue-dir,
> --with-cgi-id
>
> This is expected because those options to configure were added by RedHat
> as part of their FHS compliance patch. See
> <https://wiki.list.org/x/8486953> and
> <https://mail.python.org/pipermail/mailman-developers/2004-October/017343
> .html>

Right, we've been using the Red Hat patches for many years. Even on RHEL 7 
Red Hat only provides an RPM for 2.1.15, so at some point I took the SPEC 
file from their source RPM and have been updating it myself.

> I get this from the bin/mailman-config command
>
> Configuration and build information for Mailman
>
> Mailman version: 2.1.26
> Build Date:      Wed Feb  7 14:19:11 PST 2018
>
> prefix:          /usr/lib/mailman
> var_prefix:      /var/lib/mailman
> mailman_user:
> mailman_group:
> mail_group:      mail
> cgi_group:       apache
>
> configure_opts: "--prefix=/usr/lib/mailman
> --with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman
> --with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman
> --with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman
> --with-python=/usr/bin/python2.7 --with-mail-gid=mail postfix mailman
> nobody daemon --with-cgi-id=apache --with-cgi-gid=apache
> --with-mailhost=localhost.localdomain
> --with-urlhost=localhost.localdomain --without-permcheck"
>
> The empty mailman_user and mailman_group is because there is no
> 'mailman' user/group on the system I ran it on and the fact that I get
> mail_group = 'mail' rather than 'mail postfix mailman nobody daemon' is
> because there is a 'mail' group (it picks the first group that exists
> from that list and only yields the whole list as the result if none exist.
>
> I suspect that your actual configure command options rather than the
> ones reported by your bin/mailman-config are something like
>
> --prefix=/usr/lib/mailman --with-var-prefix=/var/lib/mailman
> --with-config-dir=/etc/mailman --with-lock-dir=/var/lock/mailman
> --with-log-dir=/var/log/mailman --with-pid-dir=/var/run/mailman
> --with-queue-dir=/var/spool/mailman --with-python=/usr/bin/python2.7
> --with-mail-gid='"mail postfix mailman nobody daemon"'
> --with-cgi-id=apache --with-cgi-gid=\"apache\"
> --with-mailhost=localhost.localdomain
> --with-urlhost=localhost.localdomain --without-permcheck
>
> and that's where the extraneous quotes are coming from. I think the
> passing of a list to --with-mail-gid relies on another RedHat
> modification to the mail wrapper to be able to dynamically configure the
> mail group and not build it in to the RPM.

In our SPEC file it looks like this:

./configure \
        --prefix=%{mmdir} \
        --with-var-prefix=%{varmmdir} \
        --with-config-dir=%{configdir} \
        --with-lock-dir=%{lockdir} \
        --with-log-dir=%{logdir} \
        --with-pid-dir=%{piddir} \
        --with-queue-dir=%{queuedir} \
        --with-python=/usr/bin/python2.7 \
        --with-mail-gid=%{mailgroup} \
        --with-cgi-id=%{cgiuser} \
        --with-cgi-gid=%{cgigroup} \
        --with-mailhost=localhost.localdomain \
        --with-urlhost=localhost.localdomain \
        --without-permcheck

The variables in question are defined like this:

# Now, the groups your mail spoolers run as.  Sendmail uses 'mail'(12)
# and postfix used to use 'nobody', but now uses 'postfix'
%define mailgroup  "mail postfix mailman nobody daemon"

# Now, the user and group the CGIs will expect to be run under.  This should
# match the user and group the web server is configured to run as.  The 
scripts
# will error out if they are invoked by any other user.
%define cgiuser    apache
%define cgigroup   apache

Which explains the quotes for mailgroup, although I don't understand where 
the quotes for cgigroup come from ...

> The question is what are you trying to do.
>
> If you just want to build a working Mailman 2.1.26 installation, I
> suggest removing the --with-config-dir, --with-lock-dir, --with-log-dir,
> --with-pid-dir, --with-queue-dir, --with-cgi-id options and setting
> --with-mail-gid and --with-cgi-gid to the appropriate single groups
> without any quotes.

That would be fine for a new installation but I'm wary of such a change on 
an active system. In hindsight we should never have used the RPMs provided 
by Red Hat in the first place.

> If you are trying to build a RHEL FHS compliant Mailman, start by
> porting the patch in the attachment to
> <https://mail.python.org/pipermail/mailman-developers/2004-October/017343
> .html> and applying it, running autoconf to regenerate configure from
> configure.in

That's what we're already doing.

> and take any resultant issues to RedHat.

That part is useless, unfortunately.

> Note, the last I
> knew, John Dennis was still at RedHat, but was no longer working with
> Mailman, but that was a long time ago. In case it isn't obvious, I
> recommend the first approach.

As I mentioned I "fixed" this by removing the quotes around @MAIL_GROUP@ 
and @CGI_GROUP at . I have included that patch in our SPEC file with a note 
not to bother the community with that issue.
-- 
    .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
                 .:.Regionales Rechenzentrum (RRZK).:.
   .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.

More information about the Mailman-Developers mailing list