Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390843 - net-mail/mailman-2.1.14 doesn't work with hardened with TPE
Summary: net-mail/mailman-2.1.14 doesn't work with hardened with TPE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Hanno Böck
Depends on:
Reported: 2011-11-17 16:30 UTC by Jaak Ristioja
Modified: 2020-11-09 09:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jaak Ristioja 2011-11-17 16:30:01 UTC
I'm running a hardened Gentoo server with TPE (trusted path execution) enabled. When trying to follow the mailman post-install instructions at /usr/share/doc/mailman-2.1.14/README.gentoo.bz2, the following fails:

  $ bin/mmsitepass
  -su: bin/mmsitepass: /usr/bin/python: bad interpreter: Permission denied

dmesg reports the following:

  grsec: From denied untrusted exec of /usr/lib64/mailman/bin/mmsitepass by /bin/bash[bash:26493] uid/euid:280/280 gid/egid:280/280, parent /bin/bash[bash:18627] uid/euid:280/280 gid/egid:280/280

I'm guessing the rest of the mailman installation also has these problems. Disabling TPE (globally or for mailman) is a workaround for the bin/mmsitepass failure. However, security-wise it's not a good option. The mailman binaries should be owned and writeable only by root.

Please make net-mail/mailman install itself in a completely TPE-independent manner.
Comment 1 Daniel Bross 2014-03-27 16:43:33 UTC
The problem is a known mailman problem. Mailman ships with two scripts to fix these:




You need to run:

/usr/lib64/mailman/bin/check_perms -f
/usr/lib64/mailman/bin/ -f

There is a bug in however. Filing a bug report for it know.
Comment 2 Daniel Bross 2014-03-27 17:04:52 UTC
Comment 3 Hanno Böck gentoo-dev 2020-11-09 09:04:51 UTC
Doubly-obsolete: We don't have mailman2 any more and don't support grsec any longer, which is now proprietary.