common.c is using getgid() instead of getegid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
New
|
Medium
|
Unassigned |
Bug Description
The mailman wrapper that is used with its set group id
set is checking the real group id in src/common.c (line
121). This will only work if mailman is configured to
use the group "mail" as that is the only time the real
and effective group of mailman will match the
configuration.
Any programs run by sendmail are real user id of "mail"
and real group id of "mail".
When using the set group id or set user id flags on an
executable file, the program's real group and user
values do not change, only their effective group and
user id's.
I am running Fedora core release 1 (kernel version
2.4.22), mailman version 2.1.5 and sendmail 8.12.10
with "smrsh".
The fix is to change line 121 in src/common.c from:
mygid = getgid()
to
mygid = getegid()
With this change mailman can be installed as group
"mailman" (or any other group besides "mail") instead
of group "mail" (which is probably a security issue).
Best,
Geoff Mottram
[http://
I have more fully documented a fix to the above problem here:
http:// minaret. biz/tips/ mailman. html
In addition to the change from getgid() to getegid(), you cgi-gid= mailman"
must re-run configure with the "--with-
option for the cgi-bin scripts to work.
Geoff