Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 390843

Summary: net-mail/mailman-2.1.14 doesn't work with hardened with TPE
Product: Gentoo Linux Reporter: Jaak Ristioja <jaak>
Component: Current packagesAssignee: Hanno Böck <hanno>
Status: RESOLVED OBSOLETE    
Severity: normal CC: net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Jaak Ristioja 2011-11-17 16:30:01 UTC
I'm running a hardened Gentoo server with TPE (trusted path execution) enabled. When trying to follow the mailman post-install instructions at /usr/share/doc/mailman-2.1.14/README.gentoo.bz2, the following fails:

  $ bin/mmsitepass
  -su: bin/mmsitepass: /usr/bin/python: bad interpreter: Permission denied

dmesg reports the following:

  grsec: From 10.12.0.31: denied untrusted exec of /usr/lib64/mailman/bin/mmsitepass by /bin/bash[bash:26493] uid/euid:280/280 gid/egid:280/280, parent /bin/bash[bash:18627] uid/euid:280/280 gid/egid:280/280

I'm guessing the rest of the mailman installation also has these problems. Disabling TPE (globally or for mailman) is a workaround for the bin/mmsitepass failure. However, security-wise it's not a good option. The mailman binaries should be owned and writeable only by root.

Please make net-mail/mailman install itself in a completely TPE-independent manner.
Comment 1 Daniel Bross 2014-03-27 16:43:33 UTC
The problem is a known mailman problem. Mailman ships with two scripts to fix these:

/usr/lib64/mailman/bin/check_perms

and

/usr/lib64/mailman/bin/check_perms_grsecurity.py

You need to run:

/usr/lib64/mailman/bin/check_perms -f
/usr/lib64/mailman/bin/check_perms_grsecurity.py -f

There is a bug in check_perms_grsecurity.py however. Filing a bug report for it know.
Comment 2 Daniel Bross 2014-03-27 17:04:52 UTC
https://bugs.gentoo.org/show_bug.cgi?id=505982
Comment 3 Hanno Böck gentoo-dev 2020-11-09 09:04:51 UTC
Doubly-obsolete: We don't have mailman2 any more and don't support grsec any longer, which is now proprietary.