Mailman security is in part enforced by requiring it execute
SGID. When the mail process or the web server attempts to execute a
mailman script a C program is invoked to verify the group
permission. Mailman as it is shipped only allows one group to be
specified at build time. For users who build and install on their own
machine this is not a limitation. However, when making a binary
package to be installed on an arbitrary machine it is hard to predict
the correct group to use for that installation. Therefore this patch
allows us to specify at build time a list of groups that will be
iterated over, if the mailman process is executing as any of one of
the group in the set of groups then the permission check passes. Since
the groups we build with are limited to a small number of safe groups
this does not lower the security much while at the same time provides
a much more friendly way to package a binary installation that will
run in a wider range of installations.

It was necessary to add the macro MM_FIND_GROUP_LIST to the
configure.in file replacing the original use of MM_FIND_GROUP_NAME,
the former operates on a list of group names while the later on a
single name. MM_FIND_GROUP_LIST includes a filter parameter that was
added with the notion of supporting the with-permcheck option. If
filter is true then only group names that exist on the build machine
are permitted in the list, otherwise all names are permitted. However,
note that whenever MM_FIND_GROUP_LIST is invoked it is currently
hardcoded to disable filtering and is not tied to with-permcheck, this
was done because of the observation that if one is passing a list of
groups it is likely one is doing so to support installations that have
a group not present on the build machine, but one might still want to
take advantage of the other with-permcheck functionality.

diff -u mailman-2.1.2/configure.in.orig mailman-2.1.2/configure.in
--- mailman-2.1.2/configure.in.orig	2003-04-21 23:34:51.000000000 -0400
+++ mailman-2.1.2/configure.in	2003-05-02 16:32:45.000000000 -0400
@@ -208,26 +208,101 @@
 fi
 
 # new macro for finding group names
-AC_DEFUN(MM_FIND_GROUP_NAME, [
+# returns a comma separated list of quoted group names
+# the list is returned in the same order as specified with any duplicates removed
+# the filter flag must be "yes" or "no", e.g. this is permcheck
+#         "no"  ==> none existing groups are not filtered out
+#         "yes" ==> only those groups that are in the group database are included
+#                   in the list
+AC_DEFUN(MM_FIND_GROUP_LIST, [
 # $1 == variable name
-# $2 == user id to check for
+# $2 == white space separated list of groups to check,
+#       list may contain mix of id's and names
+# $3 == filter, if == 'yes' then remove any non-existing groups
 AC_SUBST($1)
 changequote(,)
 if test -z "$$1"
 then
     cat > conftest.py <<EOF
 import grp
-gid = ''
+group_names = []
+seen = {}
+filter = "$3"
+
 for group in "$2".split():
     try:
+        gid = int(group)
+        try:
+            gname = grp.getgrgid(gid)[0]
+        except KeyError:
+            gname = ''
+    except ValueError:
         try:
-            gname = grp.getgrgid(int(group))[0]
-            break
-        except ValueError:
             gname = grp.getgrnam(group)[0]
+        except KeyError:
+            if filter == "yes":
+                gname = ''
+            else:
+                gname = group
+    if gname:
+        if gname not in seen:
+            seen[gname] = 1
+            group_names.append(gname)
+
+if group_names:
+    val = '"' + '", "'.join(group_names) + '"'
+    #val = "'"+val+"'"
+else:
+    val = ''
+
+fp = open("conftest.out", "w")
+fp.write("%s\n" % val)
+fp.close()
+EOF
+    $PYTHON conftest.py
+    $1=`cat conftest.out`
+fi
+changequote([, ])
+rm -f conftest.out conftest.py])
+
+
+# new macro for finding group names
+AC_DEFUN(MM_FIND_GROUP_NAME, [
+# Given a list of tokens, either a name or a number (gid)
+# return the first one in the list that is found in the 
+# group database. The return value is always a name, possibly
+# translated from a gid. If permcheck is "no" then the group
+# database is not checked, instead the first token in the list
+# which is a name is returned (e.g. the default value). If permcheck
+# is no and only gid's are in the list then the null string is returned.
+# $1 == variable name
+# $2 == group id to check for
+# $3 == permcheck, either "yes" or "no"
+AC_SUBST($1)
+changequote(,)
+if test -z "$$1"
+then
+    cat > conftest.py <<EOF
+import grp
+gname=''
+if "$3" == "yes":
+    for group in "$2".split():
+        try:
+            try:
+                gname = grp.getgrgid(int(group))[0]
+                break
+            except ValueError:
+                gname = grp.getgrnam(group)[0]
+                break
+        except KeyError:
+            gname = ''
+else:
+    for group in "$2".split():
+        try:
+            int(group)
+        except ValueError:
+            gname = group
             break
-    except KeyError:
-        gname = ''
 fp = open("conftest.out", "w")
 fp.write("%s\n" % gname)
 fp.close()
@@ -241,25 +316,41 @@
 
 # new macro for finding UIDs
 AC_DEFUN(MM_FIND_USER_NAME, [
+# Given a list of tokens, either a name or a number (uid)
+# return the first one in the list that is found in the 
+# password database. The return value is always a name, possibly
+# translated from a uid. If permcheck is "no" then the password
+# database is not checked, instead the first token in the list
+# which is a name is returned (e.g. the default value). If permcheck
+# is no and only uid's are in the list then the null string is returned.
 # $1 == variable name
 # $2 == user id to check for
+# $3 == permcheck, either "yes" or "no"
 AC_SUBST($1)
 changequote(,)
 if test -z "$$1"
 then
     cat > conftest.py <<EOF
 import pwd
-uid = ''
-for user in "$2".split():
-    try:
+uname=''
+if "$3" == "yes":
+    for user in "$2".split():
         try:
-            uname = pwd.getpwuid(int(user))[0]
-            break
+            try:
+                uname = pwd.getpwuid(int(user))[0]
+                break
+            except ValueError:
+                uname = pwd.getpwnam(user)[0]
+                break
+        except KeyError:
+            uname = ''
+else:
+    for user in "$2".split():
+        try:
+            int(user)
         except ValueError:
-            uname = pwd.getpwnam(user)[0]
+            uname = user
             break
-    except KeyError:
-        uname = ''
 fp = open("conftest.out", "w")
 fp.write("%s\n" % uname)
 fp.close()
@@ -285,7 +376,7 @@
 # User `mailman' must exist
 AC_SUBST(MAILMAN_USER)
 AC_MSG_CHECKING(for user name \"$USERNAME\")
-MM_FIND_USER_NAME(MAILMAN_USER, $USERNAME)
+MM_FIND_USER_NAME(MAILMAN_USER, $USERNAME, $with_permcheck)
 if test -z "$MAILMAN_USER"
 then
   if test "$with_permcheck" = "yes"
@@ -316,7 +407,7 @@
 # Target group must exist
 AC_SUBST(MAILMAN_GROUP)
 AC_MSG_CHECKING(for group name \"$GROUPNAME\")
-MM_FIND_GROUP_NAME(MAILMAN_GROUP, $GROUPNAME)
+MM_FIND_GROUP_NAME(MAILMAN_GROUP, $GROUPNAME, $with_permcheck)
 if test -z "$MAILMAN_GROUP"
 then
   if test "$with_permcheck" = "yes"
@@ -339,11 +430,11 @@
 prefix = "$prefixcheck"
 groupname = "$GROUPNAME"
 mailmangroup = "$MAILMAN_GROUP"
-try:
-    mailmangid = grp.getgrnam(mailmangroup)[2]
-except KeyError:
-    mailmangid = -1
 problems = []
+try: mailmangid = grp.getgrnam(mailmangroup)[2]
+except KeyError:
+    problems.append("group doesn't exist: " + mailmangroup)
+    mailmangid = 41
 try: statdata = os.stat(prefix)
 except OSError:
     problems.append("Directory doesn't exist: " + prefix)
@@ -393,7 +484,7 @@
 then
     with_mail_gid="mailman other mail daemon"
 fi
-MM_FIND_GROUP_NAME(MAIL_GROUP, $with_mail_gid)
+MM_FIND_GROUP_LIST(MAIL_GROUP, $with_mail_gid, $with_permcheck)
 if test -z "$MAIL_GROUP"
 then
   if test "$with_permcheck" = "yes"
@@ -420,7 +511,7 @@
     with_cgi_gid="www www-data nobody"
 fi
 
-MM_FIND_GROUP_NAME(CGI_GROUP, $with_cgi_gid)
+MM_FIND_GROUP_LIST(CGI_GROUP, $with_cgi_gid, $with_permcheck)
 if test -z "$CGI_GROUP"
 then
   if test "$with_permcheck" = "yes"
diff -u mailman-2.1.2/src/cgi-wrapper.c.orig mailman-2.1.2/src/cgi-wrapper.c
--- mailman-2.1.2/src/cgi-wrapper.c.orig	2002-08-23 16:39:47.000000000 -0400
+++ mailman-2.1.2/src/cgi-wrapper.c	2003-05-02 16:28:11.000000000 -0400
@@ -28,11 +28,11 @@
 /* Group name that CGI scripts run as.  See your web server's documentation
  * for details.
  */
-#define LEGAL_PARENT_GROUP CGI_GROUP
+#define LEGAL_PARENT_GROUPS CGI_GROUP
 
 const char* logident = LOG_IDENT;
 char* script = SCRIPTNAME;
-const char* parentgroup = LEGAL_PARENT_GROUP;
+const char* parentgroups[] = {LEGAL_PARENT_GROUPS};
 
 
 int
@@ -42,7 +42,7 @@
         char* fake_argv[3];
 
         running_as_cgi = 1;
-        check_caller(logident, parentgroup);
+	check_caller(logident, parentgroups, sizeof(parentgroups) / sizeof(parentgroups[0]));
 
         /* For these CGI programs, we can ignore argc and argv since they
          * don't contain anything useful.  `script' will always be the driver
diff -u mailman-2.1.2/src/common.c.orig mailman-2.1.2/src/common.c
--- mailman-2.1.2/src/common.c.orig	2002-09-04 21:29:57.000000000 -0400
+++ mailman-2.1.2/src/common.c	2003-05-02 16:28:11.000000000 -0400
@@ -116,13 +116,14 @@
 /* Is the parent process allowed to call us?
  */
 void
-check_caller(const char* ident, const char* parentgroup)
+check_caller(const char* ident, const char** parentgroups, size_t numgroups)
 {
         GID_T mygid = getgid();
 	struct group *mygroup = getgrgid(mygid);
 	char* option;
 	char* server;
 	char* wrapper;
+	int i;
 
 	if (running_as_cgi) {
 		option = "--with-cgi-gid";
@@ -136,22 +137,45 @@
 	}
 
 	if (!mygroup)
-		fatal(ident, GROUP_NAME_NOT_FOUND,
-		      "Failure to find group name %s.  Try adding this group\n"
-		      "to your system, or re-run configure, providing an\n"
-		      "existing group name with the command line option %s.",
-		      parentgroup, option);
+		fatal(ident, GROUP_ID_NOT_FOUND,
+		      "Failure to lookup via getgrgid() the group info for group id %d that this Mailman %s wrapper is executing under.\n"
+		      "This is probably due to an incorrectly configured system and is not a Mailman problem",
+		      mygid, wrapper);
+
+	for (i = 0; i < numgroups; i++) {
+		if (strcmp(parentgroups[i], mygroup->gr_name) == 0) break;
+	}
+
+        if (i >= numgroups) {
+		char *groupset = NULL;
+		size_t size = 0;
+
+		for (i = 0; i < numgroups; i++) {
+			size += strlen(parentgroups[i]) + 2;
+		}
+
+		groupset = malloc(size);
+
+		if (groupset) {
+			groupset[0] = 0;
+			for (i = 0; i < numgroups; i++) {
+				strcat(groupset, parentgroups[i]);
+				if (i < numgroups-1) strcat(groupset, ", ");
+			}
+		}
 
-        if (strcmp(parentgroup, mygroup->gr_name))
                 fatal(ident, GROUP_MISMATCH,
-		      "Group mismatch error.  Mailman expected the %s\n"
-		      "wrapper script to be executed as group \"%s\", but\n"
-		      "the system's %s server executed the %s script as\n"
-		      "group \"%s\".  Try tweaking the %s server to run the\n"
-		      "script as group \"%s\", or re-run configure, \n"
-		      "providing the command line option `%s=%s'.",
-		      wrapper, parentgroup, server, wrapper, mygroup->gr_name,
-		      server, parentgroup, option, mygroup->gr_name);
+		      "Group mismatch error. Mailman expected the %s wrapper script to be\n"
+		      "executed as one of the following groups:\n"
+		      "[%s],\n"
+		      "but the system's %s server executed the %s script as group: \"%s\".\n"
+		      "Try tweaking the %s server to run the script as one of these groups:\n"
+		      "[%s],\n"
+		      "or re-run configure providing the command line option:\n"
+		      "'%s=%s'.",
+		      wrapper, groupset, server, wrapper, mygroup->gr_name,
+		      server, groupset, option, mygroup->gr_name);
+	}
 }
 
 
diff -u mailman-2.1.2/src/common.h.orig mailman-2.1.2/src/common.h
--- mailman-2.1.2/src/common.h.orig	2002-10-21 14:48:03.000000000 -0400
+++ mailman-2.1.2/src/common.h	2003-05-02 16:28:11.000000000 -0400
@@ -33,7 +33,7 @@
 #define GID_T GETGROUPS_T
 
 extern void fatal(const char*, int, char*, ...);
-extern void check_caller(const char*, const char*);
+extern void check_caller(const char* ident, const char**, size_t);
 extern int run_script(const char*, int, char**, char**);
 
 /* Global variable used as a flag. */
@@ -51,7 +51,7 @@
 #define MAIL_USAGE_ERROR 5
 #define MAIL_ILLEGAL_COMMAND 6
 #define ADDALIAS_USAGE_ERROR 7
-#define GROUP_NAME_NOT_FOUND 8
+#define GROUP_ID_NOT_FOUND 8
 
 
 /*
diff -u mailman-2.1.2/src/mail-wrapper.c.orig mailman-2.1.2/src/mail-wrapper.c
--- mailman-2.1.2/src/mail-wrapper.c.orig	2002-08-23 16:40:27.000000000 -0400
+++ mailman-2.1.2/src/mail-wrapper.c	2003-05-02 16:28:11.000000000 -0400
@@ -23,9 +23,9 @@
 /* Group name that your mail programs run as.  See your mail server's
  * documentation for details.
  */
-#define LEGAL_PARENT_GROUP MAIL_GROUP
+#define LEGAL_PARENT_GROUPS MAIL_GROUP
 
-const char* parentgroup = LEGAL_PARENT_GROUP;
+const char* parentgroups[] = {LEGAL_PARENT_GROUPS};
 const char* logident = "Mailman mail-wrapper";
 
 
@@ -74,7 +74,7 @@
                 fatal(logident, MAIL_ILLEGAL_COMMAND,
                       "Illegal command: %s", argv[1]);
 
-        check_caller(logident, parentgroup);
+        check_caller(logident, parentgroups, sizeof(parentgroups) / sizeof(parentgroups[0]));
 
         /* If we got here, everything must be OK */
         status = run_script(argv[1], argc, argv, env);
diff -u mailman-2.1.2/src/Makefile.in.orig mailman-2.1.2/src/Makefile.in
--- mailman-2.1.2/src/Makefile.in.orig	2003-03-31 14:27:14.000000000 -0500
+++ mailman-2.1.2/src/Makefile.in	2003-05-02 16:28:11.000000000 -0400
@@ -49,9 +49,9 @@
 
 SHELL=		/bin/sh
 
-MAIL_FLAGS=	-DMAIL_GROUP="\"$(MAIL_GROUP)\""
+MAIL_FLAGS=	-DMAIL_GROUP='$(MAIL_GROUP)'
 
-CGI_FLAGS=	-DCGI_GROUP="\"$(CGI_GROUP)\""
+CGI_FLAGS=	-DCGI_GROUP='$(CGI_GROUP)'
 
 HELPFUL=	-DHELPFUL