[Mailman-Users] The Dreaded Group Mismatch Error

Mark Sapiro mark at msapiro.net
Sat Apr 24 21:15:15 CEST 2010 

LuKreme wrote:

>I tried to send a message to a low-traffic announce-list which failed:


Are other lists working?


>Mailman mail-wrapper: Group mismatch error.  Mailman expected the mail wrapper script to be executed as group "mailman", but the system's mail server executed the mail script as group "nobody".  Try tweaking the mail server to run the script as group "mailman", or re-run configure,  providing the command line option `--with-mail-gid=nobody'.
>
>So I go to the /usr/ports/mail/mailman/ directory to build mailman 'by hand' so to speak:
>
> $ export MM_USERNAME=nobody
> $ export MM_GROUPNAME=nobody 
> $ export MM_USERID=65534
> $ make install
>===>  Installing for mailman-2.1.12
>===>   mailman-2.1.12 depends on file: /usr/local/bin/python2.5 - found
>---> Starting install script:
>---> Using existing group "nobody"
>---> Using existing user "nobody"
>---> Using existing Mailman directory (/usr/local/mailman)
>     (There may be existing active mailing lists - this installation will
>     attempt to preserve them.)
>===>   Generating temporary packing list
>
>
>etc etc


Which may or may not have any effect on this depending on how your
package installation works.


> $  /usr/local/etc/rc.d/mailman start
> $
>
>Try to send another message, and I get the exact same error.
>
>Apr 24 09:26:44 mail Mailman mail-wrapper: Group mismatch error.  Mailman expected the mail wrapper script to be executed as group "mailman", but the system's mail server executed the mail script as group "nobody".  Try tweaking the mail server to run the script as group "mailman", or re-run configure,  providing the command line option `--with-mail-gid=nobody'.
>
>Now /etc/postfix/aliases.db (where all the aliases for mailman have been since at least 2004) is owned by root, and man 8 local says:
>
>       When those files are
>       owned by the superuser, delivery is made with the rights specified with
>       the default_privs configuration parameter.
>
>and the default for default_privs is nobody, which is what postfix is doing.
>
>So, if mailman is built as above using group and user nobody why is it claiming it expected the wrapper to be run as mailman?


Ask your packager.


>As far as I can tell, postfix is doing what it is supposed to, but mailman somewhere has a user mailman in it that it thinks should be being used. Where this is and why I cannot figure out.
>
>All the mailman processes are running as 'nobody'


Which pretty much defeats Mailman's security model.


>So, I went and grabbed the source and read up on <http://www.gnu.org/software/mailman/mailman-install/node7.html>
>
>~/src/mailman-2.1.13 $ ./configure --with-username=nobody --with-mail-gid=nobody --with-group-name=nobody
>configure: WARNING: you should use --build, --host, --target


This is very strange. When I run the above command in a freshly
unpacked 2.1.13 tarball directory (with 2.5 python), I get:

[msapiro at msapiro ...2.1.13/mailman-2.1.13]$ ./configure
--with-username=nobody --with-mail-gid=nobody --with-group-name=nobody
configure: WARNING: unrecognized options: --with-group-name

      Because it's spelled --with-groupname


checking for --with-python... no
...



>checking for --with-python... no
>checking for python... /usr/local/bin/python
>checking Python interpreter... /usr/local/bin/python
>checking Python version... 2.5.5
>checking Python's email package... ok
>checking Japanese codecs... ok
>checking Korean codecs... ok
>checking that Python has a working distutils... yes
>checking for a BSD-compatible install... /usr/bin/install -c
>checking whether make sets $(MAKE)... yes
>checking for true... /usr/bin/true
>checking for --without-gcc... no
>checking for gcc... gcc
>checking for C compiler default output file name... a.out
>checking whether the C compiler works... yes
>checking whether we are cross compiling... no
>checking for suffix of executables... 
>checking for suffix of object files... o
>checking whether we are using the GNU C compiler... yes
>checking whether gcc accepts -g... yes
>checking for gcc option to accept ISO C89... none needed
>checking whether #! works in shell scripts... yes
>checking for --with-var-prefix... no
>checking for --with-permcheck... yes
>checking for --with-username... mailman
>checking for user name "mailman"... okay
>checking for --with-groupname... mailman
>checking for group name "mailman"... okay
>...
>
>it completely ignores the flags (this is 2.1.13 downloaded a today from ftp://ftp.gnu.org/gnu/mailman/mailman-2.1.13.tgz ).


Well, it ignores --with-group-name because it's misspelled, but it
should issue a warning about that.

Could there be something in your environment that's affecting this? Or
your shell? What shell is invoked by /bin/sh?


>and even if you try to make at that point, there is no Makefile


Are you saying configure completes and makes a config.status and runs
that and there is no Makefile after that? Really strange...


>so, now what? What portion of mailman is expecting a gid of mailman? Since mailman seems to be totally insistent on running as mailman, I wen ahead and split the aliases out into a separate file and gave them the right permissions 
>
> $ chown mailman /usr/local/mailman/data/aliases.db
>
>In the manual it say:
>
>Run the bin/genaliases script to initialize your aliases file.
>        % cd /usr/local/mailman
>        % bin/genaliases
>      
>
>Make sure that the owner of the data/aliases and data/aliases.db file is mailman, that the group owner for those files is mailman, or whatever user and group you used in the configure command, and that both files are group writable:
>
>However, when I run bin/genaliases I get:
>
>To finish creating your mailing list, you must edit your /etc/aliases (or
>equivalent) file by adding the following lines, and possibly running the
>`newaliases' program:
>
>followed by a list of all the aliases.


Because you don't have 

MTA= 'Postfix'

in mm_cfg.py.


>There are no files in data/ named anything like alias
>
> /usr/local/mailman $ ls -ls data/
>total 20
> 2 -rw-r-----  1 root    nobody     41 May 30  2009 adm.pw
> 2 -rw-r--r--  1 root    nobody     10 Apr 24 10:30 last_mailman_version
> 2 -rw-rw----  1 nobody  nobody      6 Apr 24 10:36 master-qrunner.pid
>14 -rw-r--r--  1 root    nobody  14100 Apr 24 10:32 sitelist.cfg
>
>But I created one, ran postalias on it, changed the permissions as noted above, and it STILL fails with the same error.


Maybe because you still have aliases in /etc/postfix/aliases.db which
is what is being used by postfix unless you added
hash:/usr/local/mailman/data/aliases to Postfix alias_maps ahead of
hash:/etc/postfix/aliases.

Note that the expected group (mailman) is compiled into the
mailman/mail/mailman wrapper (from configure's --with-mail-gid) in
standard Mailman. I don't know how to set it in your package.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list