mail/mailman: fix some permission issues, realign template policy

- tighten up permissions on install dirs even more, patching bin/check_perms to not complain - fewer directories or files belong in mailman's hand or need group write permissions. - revert 2.1.30's "make templates samples" because the upstream has always instead provided a templates/site dir here and warned users that default templates will be overwritten on updates or reinstallation https://wiki.list.org/DOC/4.48%20How%20can%20I%20change%20the%20HTML%20or%20.txt%20templates%20used%20by%20my%20mailing%20lists%3F changed templates will be written to different directories, the site, domain-specific or list-specific directory - adjust pkg-plist such that a no-script install, a regular install with post-install script run, and check_perms agree on permissions, however with tighter write permissions than the default install, as a security-in-depth safety precaution. [1] - revise files/pkg-install.in accordingly - boil down files/pkg-message.in texts a little bit - bump PORTREVISION PR: 245853 Reported by: manu@ (IRC) [1]
svn path=/head/; revision=532983
2025-07-18 09:49:18 -04:00 · 2020-04-25 22:41:21 +00:00 · 2020-04-25 22:41:21 +00:00 · b337c05a03 · 2021-03-31 03:12:20 +00:00
commit b337c05a03
parent a5996cafe5
6 changed files with 1789 additions and 1784 deletions
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	mailman
 DISTVERSION=	2.1.30
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
 		SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \
@ -237,6 +237,7 @@ post-install:
 	@${MKDIR} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
 	${ECHO} "This marker file ensures that Python's upgrade-site-packages handles ${PKGNAME}." >${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/mailman-info.txt
 	${INSTALL_SCRIPT} ${PKGINSTALL} ${STAGEDIR}${MAILMANDIR}/bin/FreeBSD-post-install
-	${FIND} ${STAGEDIR}${MAILMANDIR}/templates -type f -exec ${MV} '{}' '{}.sample' \;
+	${MKDIR} ${STAGEDIR}${MAILMANDIR}/templates/site/en
+	${INSTALL_DATA} ${FILESDIR}/templates_site_README.txt ${STAGEDIR}${MAILMANDIR}/templates/site/README.txt

 .include <bsd.port.mk>
--- a/mail/mailman/files/patch-bin_check__perms
+++ b/mail/mailman/files/patch-bin_check__perms
@ -7,19 +7,24 @@ permissions.

 -- Matthias Andree (mandree@FreeBSD.org, 2020-04-14)

--- bin/check_perms.orig	2020-04-13 17:08:14 UTC
-+++ bin/check_perms
-@@ -143,6 +143,9 @@ def checkwalk(arg, dirname, names):
+--- bin/check_perms.orig	2020-04-13 19:08:14.000000000 +0200
+++ bin/check_perms	2020-04-25 17:50:19.448831000 +0200
+@@ -143,6 +143,14 @@ def checkwalk(arg, dirname, names):
         elif (os.path.commonprefix((path, mm_cfg.QUEUE_DIR))
               == mm_cfg.QUEUE_DIR):
             targetperms = QFILEPERMS
-+        elif path == mm_cfg.PREFIX or '/messages' in path:
+        elif (path == mm_cfg.PREFIX or os.path.split(path)[1] in
+              ('archives', 'bin', 'cgi-bin', 'cron', 'icons', 'mail', 'scripts',)
+              or '/messages' in path
+              or '/templates' in path
+              or '/tests' in path
+              or '/Mailman' in path):
 +            # don't require LC_MESSAGES to be group writable
 +            targetperms = DIRPERMS & ~S_IWGRP & ~S_ISGID
         else:
             targetperms = DIRPERMS
         octperms = oct(targetperms)
-@@ -195,7 +195,7 @@
+@@ -192,7 +200,7 @@ def checkall():
             if e.errno <> errno.ENOENT: raise
             print C_('WARNING: directory does not exist: %(d)s')
             continue
--- a/mail/mailman/files/pkg-install.in
+++ b/mail/mailman/files/pkg-install.in
@ -59,22 +59,18 @@ POST-INSTALL)

  move_newsyslog_conf

- # fix up permissions - this is under investigation; pkg or libarchive
-  # goof up the group writable and/or setgid bits
+  # fix up permissions - this should normally be handled by pkg(8)
+  # already, but can remain here for --no-scripts installs,
+  # and for corner cases such as the archive directories.
  /usr/bin/find "%%MAILMANDIR%%/qfiles" -maxdepth 1 -type d -exec \
    /bin/chmod u+rwx,g+rwsx,o-w "{}" +

-  # deliberately skip "%%MAILMANDIR%%" itself below:
-  /bin/chmod 02775 \
+  /bin/chmod 0755 \
    "%%MAILMANDIR%%/archives" \
-    "%%MAILMANDIR%%/archives/public" \
    "%%MAILMANDIR%%/bin" \
    "%%MAILMANDIR%%/cgi-bin" \
    "%%MAILMANDIR%%/cron" \
-    "%%MAILMANDIR%%/data" \
    "%%MAILMANDIR%%/icons" \
-    "%%MAILMANDIR%%/lists" \
-    "%%MAILMANDIR%%/locks" \
    "%%MAILMANDIR%%/mail" \
    "%%MAILMANDIR%%/Mailman" \
    "%%MAILMANDIR%%/Mailman/Archiver" \
@ -86,37 +82,38 @@ POST-INSTALL)
    "%%MAILMANDIR%%/Mailman/Logging" \
    "%%MAILMANDIR%%/Mailman/MTA" \
    "%%MAILMANDIR%%/Mailman/Queue" \
-    "%%MAILMANDIR%%/pythonlib" \
    "%%MAILMANDIR%%/scripts" \
-    "%%MAILMANDIR%%/spam" \
    "%%MAILMANDIR%%/tests" \
    "%%MAILMANDIR%%/tests/bounces" \
    "%%MAILMANDIR%%/tests/msgs"
+
+  # deliberately skip "%%MAILMANDIR%%" itself below:
+  /bin/chmod 02775 \
+    "%%MAILMANDIR%%/archives/public" \
+    "%%MAILMANDIR%%/data" \
+    "%%MAILMANDIR%%/lists" \
+    "%%MAILMANDIR%%/locks" \
+    "%%MAILMANDIR%%/pythonlib" \
+    "%%MAILMANDIR%%/spam" \
  # this can be 2770 or 2771 but should not be stomped over
  test -d "%%MAILMANDIR%%/archives/private" \
  || /usr/bin/install -m 02771 -g "%%GROUP%%" \
      -d "%%MAILMANDIR%%/archives/private"

-  /bin/chmod u+rwx,g+srwx      "%%MAILMANDIR%%/archives/private"
+  /bin/chmod u+rwx,g+srwx,o-rw "%%MAILMANDIR%%/archives/private"
  /bin/chmod u+rwx,g+srwx,o+rx "%%MAILMANDIR%%/logs"

  if [ "NLS" = "%%NLS%%" ] ; then
 	  /usr/bin/find "%%MAILMANDIR%%/messages" -type d \
-     			-exec chown "%%GROUP%%" '{}' + \
+     			-exec chgrp "%%GROUP%%" '{}' + \
     			-exec chmod 0755 '{}' +
  fi

  /usr/bin/find "%%MAILMANDIR%%/templates" -type d \
-    -exec chmod 02775 '{}' +
+    -exec chmod 0755 '{}' +

-  # if .sample files were not moved to destination...
-  # (pkg install --no-scripts) ... fix up
-
-  # cp -n will not overwrite destination file, -p preserves permissions/owner etc.
-  /usr/bin/find "%%MAILMANDIR%%/templates" -type f -name '*.sample' \
-    -exec /bin/sh -c 'f={};cp -np ${f} ${f%.sample}' \;
-
-  test -s %%MAILMANDIR%%/Mailman/mm_cfg.py || cp -p %%MAILMANDIR%%/Mailman/mm_cfg.py.dist %%MAILMANDIR%%/Mailman/mm_cfg.py
+  test -s %%MAILMANDIR%%/Mailman/mm_cfg.py \
+  || cp -p %%MAILMANDIR%%/Mailman/mm_cfg.py.dist %%MAILMANDIR%%/Mailman/mm_cfg.py

  # This is subject to the EXAMPLES port option:
  test -r ${PKG_PREFIX}/share/examples/mailman.newsyslog.sample &&
--- a/mail/mailman/files/pkg-message.in
+++ b/mail/mailman/files/pkg-message.in
@ -1,31 +1,16 @@
 [
-{
-  message: <<EOM
-Mailman has been installed, but requires further configuration before use!
-
-ATTENTION
-=========
-
-mail/mailman requires proper directory permissions to run and possibly
-some directories created if missing.  That cannot happen from pkg
-because that might alter your manually adjusted archive directory permissions.
-
-If you did just install mailman with pkg -I, --no-script or
--no-install-scripts, you MUST(!) run the post-install script now, as root:
-
-env "PKG_PREFIX=%%PREFIX%%" sh \
-    %%MAILMANDIR%%/bin/FreeBSD-post-install x POST-INSTALL
-EOM
-}
 { type: install,
  message <<EOM
+Mailman has been installed, but requires further configuration before use!
+
 You also must configure both your MTA (mail server) and web server to
 integrate with Mailman.  If the port's documentation has been installed,
 extensive post-installation instructions may be found in:

  %%DOCSDIR%%/FreeBSD-post-install-notes

-Note (1):  - ESPECIALLY RELEVANT FOR USERS OF THE BINARY PACKAGE -
+Note (1): 
+- ESPECIALLY RELEVANT FOR USERS OF THE BINARY PACKAGE -
 The FreeBSD binary package is built for use with Sendmail, and it will
 not work properly with alternative MTAs such as Exim or Postfix.
  In order for Mailman to work with an alternative mailer,
@ -43,15 +28,22 @@ Note (2):  The entire Mailman installation resides under %%MAILMANDIR%%.
 The command-line scripts necessary to administer Mailman have been
 installed in %%MAILMANDIR%%/bin.

-Note (3):  As of version 2.1, Mailman's queue runner runs as a daemon and
-is started by a script in %%LOCALBASE%%/etc/rc.d
-
 In order to make private archives searchable with namazu2, you need
 to copy or link %%LOCALBASE%%/libexec/namazu.cgi to
 %%MAILMANDIR%%/archives/private/<ML_name>/ and configure .namazurc.
 Refer to %%LOCALBASE%%/etc/namazu/namazurc.sample.
 EOM
 }
+{ message: <<EOM
+If you did just install mailman with pkg -I, --no-script or
+--no-install-scripts, you MUST(!) run the post-install script now, as root:
+
+env "PKG_PREFIX=%%PREFIX%%" sh \
+    %%MAILMANDIR%%/bin/FreeBSD-post-install x POST-INSTALL
+
+This will set up most defaults (cron jobs, default configuration etc.).
+EOM
+}
 { type: upgrade
  maximum_version: 2.1.18
  message <<EOM
--- a/mail/mailman/files/templates_site_README.txt
+++ b/mail/mailman/files/templates_site_README.txt
@ -0,0 +1,5 @@
+Note that the templates/site/<language> directory are meant
+for your site-specific overrides of the templates.
+
+For details, please see Mailman/Utils.py below the line
+that starts with:  def findtext(templatefile,
--- a/mail/mailman/pkg-plist
+++ b/mail/mailman/pkg-plist