THERE IS NO REASON TO HAVE WORLD RWX PRIVS ON MAJORDOMO
DIRECTORIES. IT WAS NOT DESIGNED THAT WAY AND THERE IS NO
REASON FOR IT.
There now that I have vented, we can get down to business. If you
can't get majordomo to opwberate without world write permissions, then
one of the following is wrong:
1) The wrapper is not setting the uid and gid
1) The setuid and setgid bits in the mode word are not
set. Read chmod(1), and look at the su program to see
a setuid program.
2) You are in a posix universe, but you compiled the
wrapper with bsd semantics (tsk tsk)
3) setuid is somehow broken on your machine
2) The uid and gid that are set by the wrapper are not the uid and
gid that own the majordomo directories
3) The majordomo directories are not mode 77? I.E. you set it
to 55? or something silly like that.
Fix the above problems and things will run fine without needing world
write privs. Believe me, I have almost 30 installations running
majordomo across all sorts of hardware and NONE of them have world
writable directories. As a matter of fact most of them don;t have
world readable directories.
Sadly getting this right, seems to be easier to say than to do
especially for UNIX novices, so I enclose the following script as an
aide:
#begin script
#!/usr/local/bin/perl
print "euid is: $>\n";
print "egid is: $)\n";
print "ruid is: $<\n";
print "rgid is: $(\n";
#== end script
To use it, put the script (inbetween the #== lines) in the majordomo
home directory. The majordomo home directory is the directory with
majordomo and resend in it. Make sure to change the first line in the
script (#!/usr/local/bin/perl) to point to the location of perl on
your system.
I put the script in a file called peid (print effective id). Make sure
the files is executable (chmod +x peid usually does the trick). The
patch /tools/majordomo is the patch tomy majordomo home directory.
Replace that with the path to your majordomo home directory before
executing the examples. Also, when I say uid or gid, I mean either the
numeric values, or the names that those values map to.
You can find out what your uid and gid look like by running the script
directly. DO NOT run this test as root, it can create a false
success. In my case running:
/tools/majordomo/peid
produces:
euid is: 1249
egid is: 15 33 31 19 16 11 15
ruid is: 1249
rgid is: 15 33 31 19 16 11 15
The euid is my uid, and the egid is my gid (group other, not
majordom).
For the second test, we want to run the peid script using the
majordomo wrapper program. DO NOT RUN THIS TEST AS ROOT, it will cause
a false positive. You can run the script like so:
/tools/majordom/wrapper peid
If the wrapper complains about posix something or other (problem
1.2 above) recompile the wrapper using posix semantics as
specified in the Makefile.
If the script ran successfully, its output should look something like:
euid is: 916
egid is: 34 34 33 31 19 16 11 15
ruid is: 916
rgid is: 34 34 33 31 19 16 11 15
Check the euid line. Grep for :916: through the password file (or use
ypcat passwd | grep :916: if you run yellow pages/NIS). This number
should be the uid of the majordom user (or in general the uid you
specified in the makefile. If you chose to install it using daemon, the
uid will usually be 1).
The egid line gets the same treatment for the first number in the
list, except that you look at the /etc/group file instead of the
passwd file. Group 34 for my site is the majordom group. The wrapper
may set the real uid and real gid as well depending on the system (bsd
usually does, posix may not, I don't have a posix host handy to
check.), however this is important, the euid and egid should not be
your uid and your gid.
If you get the same output from running peid with and without the
wrapper, the wrapper script is not setting the uid or gid properly
(problem 1) To track down this problem, make sure that the setuid and
setgid bits are correct. Spend some time with the chmod man page to
make sure you set the bits right (or you can play around and keep
running the script till the euid and egid come up right). Check the
makefile and make sure you set the proper uid and gid there. Keep
working at it untill the euid matches the uid of the majordom user,
and the egid matches that of the majordom group.
Ok, so now the euid and egid match your majordom user and your
majordom group. But wait we aren't done. We still need to check the
owner and group ownerships on the directories (problem 2). All
directories and files with the exception of the wrapper program should
be owned by the euid and the first egid. (Technically this is a lie,
but if you know its a lie, then you probably aren't having any
permission problems 8-).)
Make sure that every directory and file is properly owned. The only
file that may not be owned by the majordom user and group is the
wrapper program itself on a posix system, which will be owned by root.
Now make sure that all the directories owned by majordom have mode 77?
permissions (rwxrwx?-?) where the ? indicates that it doesn't matter
what permissions are set there, but you shouldn't set the write
permission 8-). The list of directories to change includes:
the directory where the Log file is located
the directory where the mailing list files and per list config
files are located
the directory where the archives are located (if you archive
messages). Also change the permissions on the
subdirectories of this directory
the digest spool directory (if you are using it). Also change
the permissions on the subdirectories of this
directory.
Whew. Now that all of these checks have been done, try sending mail to
the list using the verbose mode for mail or sendmail as explained in
the readme. Try subscribing etc. everything should now be working
fine. If not, try this list again fromthe top. If you still can't get
it to work, send mail to the majordomo-users list with the output of
peid when run under the wrapper, and when not run under the wrapper,
Yes, peid and a copy of the missive will be placed into the 1.93
README.
-- John
John Rouillard
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
rouilj@cs.umb.edu (preferred) Boston, MA, (617) 287-6480
==============================================================================
My employers don't acknowledge my existence much less my opinions.
References:
|
|
