From 3c99f28d219596434e8547df95e7041e2cf21fb7 Mon Sep 17 00:00:00 2001
From: Barry Warsaw
Date: Thu, 16 Jun 2011 16:27:13 -0400
Subject: The current contrib directory is not really compatible or appropriate
 for Mailman 3.  Maybe it'll come back later.

---
 contrib/check_perms_grsecurity.py | 182 --------------------------------------
 1 file changed, 182 deletions(-)
 delete mode 100644 contrib/check_perms_grsecurity.py

(limited to 'contrib/check_perms_grsecurity.py')

diff --git a/contrib/check_perms_grsecurity.py b/contrib/check_perms_grsecurity.py
deleted file mode 100644
index 3d0b66e1a..000000000
--- a/contrib/check_perms_grsecurity.py
+++ /dev/null
@@ -1,182 +0,0 @@
-#! @PYTHON@
-#
-# Copyright (C) 1998-2007 by the Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
-
-"""Fixes for running Mailman under the `secure-linux' patch or grsecurity.
-
-Run check_perms -f and only then check_perms_grsecurity.py -f
-Note that you  will have to re-run  this script after a  mailman upgrade and
-that check_perms will undo part of what this script does
-
-If you use  Solar Designer's secure-linux patch, it prevents  a process from
-linking (hard link) to a file it doesn't own.
-Grsecurity (http://grsecurity.net/) can have  the same restriction depending
-on how it was built, including other restrictions like preventing you to run
-a program if it is located in a directory writable by a non root user.
-
-As a  result Mailman has to  be changed so that  the whole tree is  owned by
-Mailman, and  the CGIs and some  of the programs  in the bin tree  (the ones
-that lock config.pck  files) are SUID Mailman.  The idea  is that config.pck
-files have to be owned by the  mailman UID and only touched by programs that
-are UID mailman.
-At the  same time, We have  to make sure  that at least 3  directories under
-~mailman aren't writable by mailman: mail, cgi-bin, and bin
-
-Binary commands that are changed to be SUID mailman are also made unreadable
-and unrunnable  by people who aren't  in the mailman group.   This shouldn't
-affect much since most of those commands would fail work if you weren't part
-of the mailman group anyway.
-Scripts in ~mailman/bin/ are  not made suid or sgid, they need  to be run by
-user mailman or root to work.
-
-Marc <marc_soft@merlins.org>/<marc_bts@vasoftware.com>
-2000/10/27 - Initial version for secure_linux/openwall and mailman 2.0
-2001/12/09 - Updated version for grsecurity and mailman 2.1
-"""
-
-import sys
-import os
-import paths
-import re
-import glob
-import pwd
-import grp
-from Mailman import mm_cfg
-from Mailman.mm_cfg import MAILMAN_USER, MAILMAN_GROUP
-from stat import *
-
-# Directories that we don't want writable by mailman.
-dirstochownroot= ( 'mail', 'cgi-bin', 'bin' )
-
-# Those are the programs that we patch so that they insist being run under the
-# mailman uid or as root.
-binfilestopatch= ( 'add_members', 'change_pw', 'check_db', 'clone_member',
-        'config_list', 'newlist', 'qrunner', 'remove_members',
-        'rmlist', 'sync_members', 'update', 'withlist' )
-
-def main(argv):
-    binpath = paths.prefix + '/bin/'
-    droplib = binpath + 'CheckFixUid.py'
-
-    if len(argv) < 2 or argv[1] != "-f":
-        print __doc__
-        sys.exit(1)
-
-    print "Making select directories owned and writable by root only"
-    gid = grp.getgrnam(MAILMAN_GROUP)[2]
-    for dir in dirstochownroot:
-        dirpath = paths.prefix + '/' + dir
-        os.chown(dirpath, 0, gid)
-        os.chmod(dirpath, 02755)
-        print dirpath
-
-    print
-
-    file = paths.prefix + '/data/last_mailman_version'
-    print "Making" + file + "owned by mailman (not root)"
-    uid = pwd.getpwnam(MAILMAN_USER)[2]
-    gid = grp.getgrnam(MAILMAN_GROUP)[2]
-    os.chown(file, uid, gid)
-    print
-
-    if not os.path.exists(droplib):
-        print "Creating " + droplib
-        fp = open(droplib, 'w', 0644)
-        fp.write("""import sys
-import os
-import grp, pwd
-from Mailman.mm_cfg import MAILMAN_USER, MAILMAN_GROUP
-
-class CheckFixUid:
-    uid = pwd.getpwnam(MAILMAN_USER)[2]
-    gid = grp.getgrnam(MAILMAN_GROUP)[2]
-    if os.geteuid() == 0:
-        os.setgid(gid)
-        os.setuid(uid)
-    if os.geteuid() != uid:
-        print "You need to run this script as root or mailman because it was configured to run"
-        print "on a linux system with a security patch which restricts hard links"
-        sys.exit()
-""")
-        fp.close()
-    else:
-        print "Skipping creation of " + droplib
-
-
-    print "\nMaking cgis setuid mailman"
-    cgis = glob.glob(paths.prefix + '/cgi-bin/*')
-
-    for file in cgis:
-        print file
-        os.chown(file, uid, gid)
-        os.chmod(file, 06755)
-
-    print "\nMaking mail wrapper setuid mailman"
-    file= paths.prefix + '/mail/mailman'
-    os.chown(file, uid, gid)
-    os.chmod(file, 06755)
-    print file
-
-    print "\nEnsuring that all config.db/pck files are owned by Mailman"
-    cdbs = glob.glob(paths.prefix + '/lists/*/config.db*')
-    cpcks = glob.glob(paths.prefix + '/lists/*/config.pck*')
-
-    for file in cdbs + cpcks:
-        stat = os.stat(file)
-        if (stat[ST_UID] != uid or stat[ST_GID] != gid):
-            print file
-            os.chown(file, uid, gid)
-
-    print "\nPatching mailman scripts to change the uid to mailman"
-
-    for script in binfilestopatch:
-        filefd = open(script, "r")
-        file = filefd.readlines()
-        filefd.close()
-
-        patched = 0
-        try:
-            file.index("import CheckFixUid\n")
-            print "Not patching " + script + ", already patched"
-        except ValueError:
-            file.insert(file.index("import paths\n")+1, "import CheckFixUid\n")
-            for i in range(len(file)-1, 0, -1):
-                object=re.compile("^([   ]*)main\(").search(file[i])
-                # Special hack to support patching of update
-                object2=re.compile("^([     ]*).*=[      ]*main\(").search(file[i])
-                if object:
-                    print "Patching " + script
-                    file.insert(i,
-                        object.group(1) + "CheckFixUid.CheckFixUid()\n")
-                    patched=1
-                    break
-                if object2:
-                    print "Patching " + script
-                    file.insert(i,
-                        object2.group(1) + "CheckFixUid.CheckFixUid()\n")
-                    patched=1
-                    break
-
-            if patched==0:
-                print "Warning, file "+script+" couldn't be patched."
-                print "If you use it, mailman may not function properly"
-            else:
-                filefd=open(script, "w")
-                filefd.writelines(file)
-
-main(sys.argv)
-- 
cgit v1.2.3-70-g09d2