Re: [Mailman-Users] config.pck get changed back from correct values...
john espiro wrote:
so... 1.) How do I tell if the CGI wrappers are SETID?
bin/check_perms should check this, but the following
[mark@sbh16 ~]$ ls -l ~mailman/cgi-bin/ total 208 -rwxr-sr-x 1 root mailman 15989 Jan 11 11:16 admin -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 admindb -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 confirm -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 create -rwxr-sr-x 1 root mailman 15997 Jan 11 11:16 edithtml -rwxr-sr-x 1 root mailman 15989 Jan 11 11:16 htdig -rwxr-sr-x 1 root mailman 15997 Jan 11 11:16 listinfo -rwxr-sr-x 1 root mailman 15997 Jan 11 11:16 mmsearch -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 options -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 private -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 rmlist -rwxr-sr-x 1 root mailman 15993 Jan 11 11:16 roster -rwxr-sr-x 1 root mailman 15997 Jan 11 11:16 subscribe [mark@sbh16 ~]$
shows the SETGID bit as the 's' in -rwxr-sr-x
To get everything to work properly, the files need to be set as webadmin:mailman.
Which should not be necessary. owner shouldn't matter. Only group matters in a properly configured Mailman installation.
or, how do I tell #2 (webserver/OS not honoring SETGID)?
If the files in cgi-bin have permissions as above, and the subdirectories of lists/ have group and permissions like
[mark@sbh16 ~]$ ls -l lists/ total 28 drwxrwsr-x 3 root mailman 4096 Jan 29 03:30 century-announce drwxrwsr-x 2 root mailman 4096 Jan 29 03:30 gpc-century drwxrwsr-x 2 root mailman 4096 Jan 29 03:30 gpc-talk drwxrwsr-x 2 root mailman 4096 Jan 29 03:30 gpc-test drwxrwsr-x 2 apache mailman 4096 Jan 29 03:30 gpc-website drwxrwsr-x 2 root mailman 4096 Jan 29 08:00 mailman drwxrwsr-x 2 root mailman 4096 Jan 29 03:30 wed_ride [mark@sbh16 ~]$
then the web interface should work.
I am running APache, if that helps.
Are you running Apache with suEXEC? If so, you will probably have issues because the suEXEC security strategy is in conflict with Mailman's security strategy.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
OK - cgi-bin folder has the SETGID bit set correctly.
The only thign I need to do to make it work, is to set the config.pck file to webadmin:mailman, otherwise I get the following in the error log: admin(17440): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/MYLIST/config.pck' BUT Apache is running with suexec.
Is there a way to get mailman to work with Apache suexec?
John
Which should not be necessary. owner shouldn't matter. Only group matters in a properly configured Mailman installation.
If the files in cgi-bin have permissions as above, and the subdirectories of lists/ have group and permissions like
[mark@sbh16 ~]$ ls -l lists/ total 28 drwxrwsr-x 3 root mailman 4096 Jan 29 03:30 century-announce drwxrwsr-x 2 root mailman 4096 Jan 29 03:30 gpc-century
then the web interface should work.
I am running APache, if that helps.
Are you running Apache with suEXEC? If so, you will probably have issues because the suEXEC security strategy is in conflict with Mailman's security strategy.
john espiro wrote:
BUT Apache is running with suexec.
Is there a way to get mailman to work with Apache suexec?
Set the group to mailman in the Apache SuexecUserGroup directive.
This may create group mismatch errors for the wrappers. See the FAQ at <http://wiki.list.org/x/tYA9>. If so, you'll have to deal with those in some other way than changing the Apache group.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
OK - cgi-bin folder has the SETGID bit set correctly.
The only thign I need to do to make it work, is to set the config.pck file to webadmin:mailman, otherwise I get the following in the error log: admin(17440): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/MYLIST/config.pck' BUT Apache is running with suexec.
Is there a way to get mailman to work with Apache suexec?
John
Which should not be necessary. owner shouldn't matter. Only group matters in a properly configured Mailman installation.
If the files in cgi-bin have permissions as above, and the subdirectories of lists/ have group and permissions like
[mark@sbh16 ~]$ ls -l lists/ total 28 drwxrwsr-x 3 root mailman 4096 Jan 29 03:30 century-announce drwxrwsr-x 2 root mailman 4096 Jan 29 03:30 gpc-century
then the web interface should work.
I am running APache, if that helps.
Are you running Apache with suEXEC? If so, you will probably have issues because the suEXEC security strategy is in conflict with Mailman's security strategy.
john espiro wrote:
BUT Apache is running with suexec.
Is there a way to get mailman to work with Apache suexec?
Set the group to mailman in the Apache SuexecUserGroup directive.
This may create group mismatch errors for the wrappers. See the FAQ at <http://wiki.list.org/x/tYA9>. If so, you'll have to deal with those in some other way than changing the Apache group.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
john espiro -
Mark Sapiro