Majordomus installation into sendmail


Majordomo

1.94

Instalation:
  1. download rpm package, e.g. from http://ftp.ms.cuni.cz
  2. install rpm -i majordomo-1.94.1-4.i386.rpm. Program is installed into /usr/lib/majordomo/, /usr/man/majordomo/, /usr/doc/majordomo/
  3. create group "majordom", user "majordom" (adduser majordom) and directories according to /etc/majordomo.cf (/var/lib/majordomo/archive, /var/lib/majordomo/digest, /var/lib/majordomo/lists,/var/log/majordomo), file /var/log/majordomo/majordomo.log (touch /var/log/majordomo/majordomo.log)
  4. Change owner all of these files majordom/majordom. chmod /usr/lib/majordomo (770), /var/lib/majordomo (750), /var/lib/majordomo/lists (770!), /var/lib/majordomo/archive (770!), /var/lib/majordomo/digest (770), /var/log/majordomo (774)
  5. change sendmail alias list in /etc/aliases

Example:
# common
majordomo: |"usr/lib/majordomo/wrapper majordomo"
owner-majordomo: majordomo-owner
majordomo-owner: majordom
majordom: joe
# for each maillist make, here "news"
news: "|/usr/lib/majordomo/wrapper resend -p bulk -M 10000 -l news -f news-owner -h your-domain.cz -s news-outgoing"
news-owner:	owner-news
news-outgoing: :include:/var/lib/majordomo/lists/news, news-archive
news-archive: /var/lib/majordomo/archive/news
news-request: "|/usr/lib/majordomo/wrapper request-answer news"
news-digest:	news
news-approval: news-owner
owner-news-digest:news-owner
owner-news-request: news-owner
owner-news-digest-outgoing:news-owner
owner-news: bill,

Program processes mail sent to special address "majordomo@your-address.cz" and controls this way login, logout, subscriptions. Received mail is processed in /usr/lib/majordomo/wrapper, key words (subscribe, unsubscribe, lists,...) are caught and executed. Mail sent to "news-request" are sent to all maillist receipients in :include:/var/lib/majordomo/lists/news and saved in /var/lib/majordomo/archive/news. Requests (e.g. lists) are returned to news-request, news-approval is dedicated to moderator.

Now access right and security problems arises. Sendmail is executed as "mail/mail" (set in etc/sendmail.cf O DefaultUser=UID:GID). This user must have enough rights to execute /usr/lib/majordomo/wrapper. This wrapper run as "majordom/majordom" (logging, access into /var/lib/majordomo/lists/news, locks /usr/lib/majordomo/, etc.).

Test using pearl script ./wrapper config-test majordomo from /usr/lib/majordomo. The help advises do not execute as "root" or "majordom" but I tested it as "root". Better should execute as "mail". Eliminate mistakes (not all are correct) check aliases.

Send mail to majordomo@your-domain.cz and check what happened. Our system returns message:

sh: wrapper not available for sendmail program 554 "|/usr/lib/majordomo/wrapper majordomo" ... service unavailable

Sendmail uses secure shell "smrsh". All files allowed to execute must be references using symbolic links to usr/adm/sm.bin (or /etc/smrsh). Set link /etc/smrsh/@wrapper to usr/lib/majordomo/wrapper. Similar case when writing to archive /var/lib/majordomo/archive/news (make link /etc/smrsh/@archive-news->/var/lib/majordomo/archive/news).

Now send command "subscribe news" and try send test message to "news". But now is returned error "Group writable directory" means - sendmail won't use from security reasons include, because chmod have group write access. Change owner and rights (or in /etc/sendmail.cf set "O UnsafeGroupWrites=False", "O DontBlameSendmail=groupwritabledirpathsafe,includefileinunsafedirpath, includefileinunsafedirpathsafe" and restart sendmail).