GNU Mailman

common.c is using getgid() instead of getegid

Bug #266128 reported by Gmottram on 2004-09-06

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	New	Medium	Unassigned

Bug Description

The mailman wrapper that is used with its set group id
set is checking the real group id in src/common.c (line
121). This will only work if mailman is configured to
use the group "mail" as that is the only time the real
and effective group of mailman will match the
configuration.

Any programs run by sendmail are real user id of "mail"
and real group id of "mail".

When using the set group id or set user id flags on an
executable file, the program's real group and user
values do not change, only their effective group and
user id's.

I am running Fedora core release 1 (kernel version
2.4.22), mailman version 2.1.5 and sendmail 8.12.10
with "smrsh".

The fix is to change line 121 in src/common.c from:

mygid = getgid()

mygid = getegid()

With this change mailman can be installed as group
"mailman" (or any other group besides "mail") instead
of group "mail" (which is probably a security issue).

Best,

Geoff Mottram

[http://sourceforge.net/tracker/index.php?func=detail&aid=1022762&group_id=103&atid=100103]

Tags:

Revision history for this message

Gmottram (gmottram) wrote on 2004-09-07:

I have more fully documented a fix to the above problem here:

http://minaret.biz/tips/mailman.html

In addition to the change from getgid() to getegid(), you
must re-run configure with the "--with-cgi-gid=mailman"
option for the cgi-bin scripts to work.

Geoff

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.