summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/securelinux_fix.py32
1 files changed, 17 insertions, 15 deletions
diff --git a/contrib/securelinux_fix.py b/contrib/securelinux_fix.py
index fc28b97c4..784bbc6d8 100644
--- a/contrib/securelinux_fix.py
+++ b/contrib/securelinux_fix.py
@@ -16,22 +16,23 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-"""If you use Solar Designer's secure-linux patch, it prevents a process from
-linking (hard link) to a file it doesn't own. As a result mailman has to be
-changed so that the whole tree is owned by mailman, and the CGIs and some of
-the programs in the bin tree (the ones that lock config.db files) are SUID
-mailman.
-The idea is that config.db files have to be owned by the mailman UID and
-only touched by programs that are UID mailman.
+"""Fixes for running Mailman under the `secure-linux' patch.
+
+If you use Solar Designer's secure-linux patch, it prevents a process from
+linking (hard link) to a file it doesn't own. As a result Mailman has to be
+changed so that the whole tree is owned by Mailman, and the CGIs and some of
+the programs in the bin tree (the ones that lock config.db files) are SUID
+Mailman. The idea is that config.db files have to be owned by the mailman UID
+and only touched by programs that are UID mailman.
-If you have to run check_perms -f, make sure to also run %(PROGRAM) -f, which
+If you have to run check_perms -f, make sure to also run %(PROGRAM) -f, which
applies the necessary permission fixes
-As a result, to prevent anyone from running priviledged mailman commands
-(since the scripts are suid), binary commands that are changed to be SUID
-are also unreadable and unrunable by people who aren't in the mailman group.
-This shouldn't affect much since most of those commands would fail work if
-you weren't part of the mailman group anyway.
+As a result, to prevent anyone from running priviledged Mailman commands
+\(since the scripts are suid), binary commands that are changed to be SUID are
+also unreadable and unrunable by people who aren't in the mailman group. This
+shouldn't affect much since most of those commands would fail work if you
+weren't part of the mailman group anyway.
Marc <marcsoft@merlins.org>/<marc_bts@valinux.com> 2000/10/27
"""
@@ -66,17 +67,18 @@ def main(argv):
fp = open(droplib, 'w', 0644)
fp.write("""import sys
import os
-from Mailman.mm_cfg import MAILMAN_UID
+from Mailman.mm_cfg import MAILMAN_UID, MAILMAN_GID
class CheckFixUid:
if os.geteuid() == 0:
+ os.setgid(MAILMAN_GID)
os.setuid(MAILMAN_UID)
if os.geteuid() != MAILMAN_UID:
print "You need to run this script as root or mailman because it was configured to run"
print "on a linux system with the secure-linux patch which restricts hard links"
sys.exit()
""")
- fp.close
+ fp.close()
else:
print "Skipping creation of " + droplib
generated by cgit v1.2.3-70-g09d2 (git 2.51.2) at 2025-11-08 17:26:54 +0000