Clean up file permissions and umask settings. Now we set the umask to 007

during early initialization so that we're guaranteed to get the right value
regardless of the shell umask used to invoke the command line script.  While
we're at it, we can remove almost all individual umask settings previously in
the code, and make file permissions consistently -rw-rw---- (IOW, files are no
longer other readable).

The only subsystem that wasn't changed was the archiver, because it uses its
own umask settings to ensure that private archives have the proper
permissions.  Eventually we'll mess with this, but if it ain't broken...

Note that check_perms complains about directory permissions, but I think
check_perms can be fixed (or perhaps, even removed?!).  If we decide to use
LMTPRunner and HTTPRunner exclusively then no outside process will be touching
our files potentially with the incorrect permissions, umask, owner, or group.
If we control all of our own touch points then I think we can lock out
'other'.

Another open question is whether Utils.set_global_password() can have its
umask setting removed.  It locks permissions down so even the group can't
write to the site password file, but the default umask of 007 might be good
enough even for this file.

Utils.makedirs() now takes an optional mode argument, which defaults to 02775
for backward compatibility.  First, the default mode can probably be changed
to 02770 (see above).  Second, all code that was tweaking the umask in order
to do a platform compatible os.mkdir() has now been refactored to use
Utils.makedirs().

Another tricky thing was getting SQLite via SQLAlchemy to create its
data/mailman.db file with the proper permissions.  From the comment in
dbcontext.py:

        # XXX By design of SQLite, database file creation does not honor
        # umask.  See their ticket #1193:
        # http://www.sqlite.org/cvstrac/tktview?tn=1193,31

More details in that file, but the work around is to essentially 'touch' the
database file if 'sqlite' is the scheme of the SQLAlchemy URL.  This little
pre-touch sets the right umask honoring permission and won't hurt if the file
already exists.  SQLite will happily keep the existing permissions, and in
fact that ticket referenced above recommends doing things this way.

In the Mailman.database.initialize(), create a global lock that prevents more
than one process from entering this init function at the same time.  It's
probably not strictly necessary given that I believe all the operations in
dbcontext.connect() are multi-processing safe, but it also doesn't seem to
hurt and prevents race conditions regardless of the database's own
safeguards (or lack thereof).

Make sure nightly_gzip.py calls initialize().

1 files changed, 3 insertions, 13 deletions

diff --git a/Mailman/bin/nightly_gzip.py b/Mailman/bin/nightly_gzip.py
index f55b21493..4bd9271bc 100644
--- a/Mailman/bin/nightly_gzip.py
+++ b/Mailman/bin/nightly_gzip.py
@@ -1,6 +1,4 @@
-#! @PYTHON@
-#
-# Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -31,6 +29,7 @@ from Mailman import Utils
 from Mailman import Version
 from Mailman.configuration import config
 from Mailman.i18n import _
+from Mailman.initialize import initialize
 
 __i18n_templates__ = True
 
@@ -77,7 +76,7 @@ def compress(txtfile, opts):
 
 def main():
     opts, args, parser = parseargs()
-    config.load(opts.config)
+    initialize(opts.config)
 
     if config.ARCHIVE_TO_MBOX not in (1, 2) or config.GZIP_ARCHIVE_TXT_FILES:
         # We're only going to run the nightly archiver if messages are
@@ -119,12 +118,3 @@ def main():
                 files.append(txtfile)
         for f in files:
             compress(f, opts)
-
-
-
-if __name__ == '__main__':
-    omask = os.umask(002)
-    try:
-        main()
-    finally:
-        os.umask(omask)