IOError: [Errno 13] Permission denied on config.pck in Fedora 30
Does mailman 2.1 now need to run as the same user as Apache runs? In our case httpd runs as the user ‘apache’ and mailman runs as ‘mailman’. I reinstalled mailman and no difference. I’ve seen this error referenced several time and to run check_perms which I did.
/usr/lib/mailman/bin/check_perms /usr/lib/mailman/bin/mailman-update-cfg bad group (has: root, expected mailman) Problems found: 1 Re-run as mailman (or root) with -f flag to fix ls -l /usr/lib/mailman/bin/mailman-update-cfg -rwxr-xr-x 1 root root 436 Feb 12 06:54 /usr/lib/mailman/bin/mailman-update-cfg chown mailman:mailman /usr/lib/mailman/bin/mailman-update-cfg /usr/lib/mailman/bin/check_perms No problems found
systemctl status mailman ● mailman.service - GNU Mailing List Manager Loaded: loaded (/usr/lib/systemd/system/mailman.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2019-07-18 16:18:41 EDT; 3 days ago Main PID: 20380 (mailmanctl) Tasks: 9 (limit: 4915) Memory: 131.2M CGroup: /system.slice/mailman.service ├─20380 /usr/bin/python2 /usr/lib/mailman/bin/mailmanctl -s start ├─20381 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s ├─20382 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s ├─20383 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s ├─20384 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s ├─20385 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s ├─20386 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s ├─20387 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s └─20388 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
Jul 18 16:18:41 dsm.dsm.fordham.edu systemd[1]: Starting GNU Mailing List Manager... Jul 18 16:18:41 dsm.dsm.fordham.edu mailmanctl[20379]: Starting Mailman's master qrunner. Jul 18 16:18:41 dsm.dsm.fordham.edu systemd[1]: Started GNU Mailing List Manager.
ls -l /var/lib/mailman/lists/book/ total 24 -rw-rw---- 1 mailman mailman 5593 Jul 22 09:00 config.pck -rw-rw---- 1 mailman mailman 5593 Jul 21 12:00 config.pck.last -rw-rw---- 1 mailman mailman 131 Oct 12 2018 pending.pck -rw-rw---- 1 apache mailman 20 Oct 13 2018 request.pck
ls -l /var/log/mailman/error -rw-rw---- 1 mailman mailman 37997 Jul 22 10:57 /var/log/mailman/error
[----- Mailman Version: 2.1.29 -----] [----- Traceback ------] Traceback (most recent call last): File "/usr/lib/mailman/scripts/driver", line 85, in run_main immediate=1) File "/usr/lib/mailman/Mailman/Logging/StampedLogger.py", line 52, in __init__ Logger.__init__(self, category, nofail, immediate) File "/usr/lib/mailman/Mailman/Logging/Logger.py", line 50, in __init__ self.__get_f() File "/usr/lib/mailman/Mailman/Logging/Logger.py", line 68, in __get_f 1) File "/usr/lib64/python2.7/codecs.py", line 898, in open file = __builtin__.open(filename, mode, buffering) IOError: [Errno 13] Permission denied: '/var/log/mailman/error' [----- Python Information -----] sys.version = 2.7.16 (default, Apr 30 2019, 15:54:43) [GCC 9.0.1 20190312 (Red Hat 9.0.1-0.10)] sys.executable = /usr/bin/python2 sys.prefix = /usr sys.exec_prefix = /usr sys.path = ['/usr/lib/mailman/pythonlib', '/usr/lib/mailman', '/usr/lib/mailman/scripts', '/usr/lib/mailman', '/usr/lib/python27.zip', '/usr/lib64/python2.7', '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/dist-packages'] sys.platform = linux2 PYTHONPATH: /usr/lib/mailman REMOTE_PORT: 60557 REQUEST_SCHEME: https SCRIPT_NAME: /mailman/listinfo REQUEST_METHOD: GET SERVER_PORT: 443 SERVER_PROTOCOL: HTTP/1.1 QUERY_STRING: REQUEST_URI: /mailman/listinfo DOCUMENT_ROOT: /var/www/html
Then I provide 755 permissions to the log file then I see this error:
admin(24082): [----- Mailman Version: 2.1.29 -----] admin(24082): [----- Traceback ------] admin(24082): Traceback (most recent call last): admin(24082): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(24082): main() admin(24082): File "/usr/lib/mailman/Mailman/Cgi/listinfo.py", line 44, in main admin(24082): listinfo_overview() admin(24082): File "/usr/lib/mailman/Mailman/Cgi/listinfo.py", line 104, in listinfo_overview admin(24082): mlist = MailList.MailList(name, lock=0) admin(24082): File "/usr/lib/mailman/Mailman/MailList.py", line 133, in __init__ admin(24082): self.Load() admin(24082): File "/usr/lib/mailman/Mailman/MailList.py", line 692, in Load admin(24082): dict, e = self.__load(file) admin(24082): File "/usr/lib/mailman/Mailman/MailList.py", line 655, in __load admin(24082): fp = open(dbfile) admin(24082): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/book/config.pck' admin(24082): [----- Python Information -----] admin(24082): sys.version = 2.7.16 (default, Apr 30 2019, 15:54:43) [GCC 9.0.1 20190312 (Red Hat 9.0.1-0.10)] admin(24082): sys.executable = /usr/bin/python2 admin(24082): sys.prefix = /usr
On 7/22/19 11:12 AM, Robert Kudyba wrote:
Does mailman 2.1 now need to run as the same user as Apache runs?
No.
In our case httpd runs as the user ‘apache’ and mailman runs as ‘mailman’. I reinstalled mailman and no difference. I’ve seen this error referenced several time and to run check_perms which I did.
/usr/lib/mailman/bin/check_perms /usr/lib/mailman/bin/mailman-update-cfg bad group (has: root, expected mailman) Problems found: 1 Re-run as mailman (or root) with -f flag to fix ls -l /usr/lib/mailman/bin/mailman-update-cfg -rwxr-xr-x 1 root root 436 Feb 12 06:54 /usr/lib/mailman/bin/mailman-update-cfg chown mailman:mailman /usr/lib/mailman/bin/mailman-update-cfg /usr/lib/mailman/bin/check_perms No problems found
I don't know what bin/mailman-update-cfg is. It isn't distributed by the GNU Mailman project. It probably isn't the issue anyway.
...
ls -l /var/lib/mailman/lists/book/ total 24 -rw-rw---- 1 mailman mailman 5593 Jul 22 09:00 config.pck -rw-rw---- 1 mailman mailman 5593 Jul 21 12:00 config.pck.last -rw-rw---- 1 mailman mailman 131 Oct 12 2018 pending.pck -rw-rw---- 1 apache mailman 20 Oct 13 2018 request.pck
ls -l /var/log/mailman/error -rw-rw---- 1 mailman mailman 37997 Jul 22 10:57 /var/log/mailman/error
These look OK.
This is almost certainly an issue with the CGI wrappers or with SELinux.
The wrappers in /usr/lib/mailman/cgi-bin and in /usr/lib/mailman/mail should all be group mailman and SETGID as in
ls -la cgi-bin total 372 drwxrwsr-x 2 root mailman 4096 Jun 21 15:04 ./ drwxrwsr-x 13 mailman mailman 4096 Jun 7 07:07 ../ -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 admin* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 admindb* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 confirm* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 create* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 edithtml* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 htdig* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 listinfo* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 mmsearch* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 options* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 private* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 rmlist* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 roster* -rwxr-sr-x 1 root mailman 27296 Jun 21 15:04 subscribe*
ls -la mail total 36 drwxrwsr-x 2 root mailman 4096 Jun 21 15:04 ./ drwxrwsr-x 13 mailman mailman 4096 Jun 7 07:07 ../ -rwxr-sr-x 1 root mailman 28488 Jun 21 15:04 mailman*
See <https://wiki.list.org/x/4030645>, however, this is all probably OK because check_perms would complain if it weren't.
Thus, this is almost certainly a SELinux issue. Try disabling SELinux. If that solves the issue and you want to enable SELinux, you'll need to review/update your SELinux Policy.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
The wrappers in /usr/lib/mailman/cgi-bin and in /usr/lib/mailman/mail should all be group mailman and SETGID as in
Indeed they are with user set to mailman:
ls -l /usr/lib/mailman/cgi-bin/ total 264 -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 admin -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 admindb -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 confirm -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 create -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 edithtml -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 listinfo -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 options -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 private -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 rmlist -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 roster -rwxr-sr-x 1 mailman mailman 23056 Feb 12 06:54 subscribe
ls -l /usr/lib/mailman/mail total 24 -rwxr-sr-x 1 mailman mailman 23176 Feb 12 06:54 mailman
ls -l /usr/lib/mailman/mail/ total 24 -rwxr-sr-x 1 mailman mailman 23176 Feb 12 06:54 mailman
ls -l /usr/lib/mailman/mail/mailman -rwxr-sr-x 1 mailman mailman 23176 Feb 12 06:54 /usr/lib/mailman/mail/mailman
Thus, this is almost certainly a SELinux issue. Try disabling SELinux. If that solves the issue and you want to enable SELinux, you'll need to review/update your SELinux Policy.
I should have mentioned it’s been disabled for quite a while: getenforce Disabled
My partial workaround so far has been to: chmod 666 /var/lib/mailman/lists/*/config.pck chattr +i /var/lib/mailman/lists/*/config.pck
Bu when trying to access ta mailing list we get the below permission errors. Note we do have mod_security and mod_evasive running but I don’t see any logs in them.
Jul 24 09:00:03 2019 (6329) SHUNTING: 1563973203.350298+066f8e1903bdcdcd8f96222e2381a43c3d952002 Jul 24 09:00:05 2019 (6326) Uncaught runner exception: [Errno 1] Operation not permitted Jul 24 09:00:05 2019 (6326) Traceback (most recent call last): File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 119, in _oneloop self._onefile(msg, msgdata) File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 190, in _onefile keepqueued = self._dispose(mlist, msg, msgdata) File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 133, in _dispose mlist.Save() File "/usr/lib/mailman/Mailman/MailList.py", line 613, in Save self.__save(dict) File "/usr/lib/mailman/Mailman/MailList.py", line 590, in __save os.link(fname, fname_last) OSError: [Errno 1] Operation not permitted
admin(1480): [----- Mailman Version: 2.1.29 -----] admin(1480): [----- Traceback ------] admin(1480): Traceback (most recent call last): admin(1480): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(1480): main() admin(1480): File "/usr/lib/mailman/Mailman/Cgi/admin.py", line 210, in main admin(1480): mlist.Lock() admin(1480): File "/usr/lib/mailman/Mailman/MailList.py", line 164, in Lock admin(1480): self.__lock.lock(timeout) admin(1480): File "/usr/lib/mailman/Mailman/LockFile.py", line 243, in lock admin(1480): self.__write() admin(1480): File "/usr/lib/mailman/Mailman/LockFile.py", line 422, in __write admin(1480): fp = open(self.__tmpfname, 'w') admin(1480): IOError: [Errno 13] Permission denied: '/var/lock/mailman/algs-da.lock.dsm.dsm.fordham.edu.1480.0'
Thanks for the reply!
On 7/24/19 6:20 AM, Robert Kudyba wrote:
Thus, this is almost certainly a SELinux issue. Try disabling SELinux. If that solves the issue and you want to enable SELinux, you'll need to review/update your SELinux Policy.
I should have mentioned it’s been disabled for quite a while: getenforce Disabled
My partial workaround so far has been to: chmod 666 /var/lib/mailman/lists/*/config.pck chattr +i /var/lib/mailman/lists/*/config.pck
chattr +i is certainly wrong. From man chattr
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
what does lsattr show for these files?
On my system, everything has 'e' and a few of the qfiles/ subdirectories have 'I' and nothing else.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Another thing I neglected to mention, the file system containing the Mailman files must be mounted with the (default) suid option, not with nosuid.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
My partial workaround so far has been to: chmod 666 /var/lib/mailman/lists/*/config.pck chattr +i /var/lib/mailman/lists/*/config.pck
chattr +i is certainly wrong. From `man chattr`
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
what does lsattr show for these files?
Sorry I meant that I ran the chatter + I command as a work around; I made the files immutable as I believe some cron job keeps changing the permissions to the point we get the error: Bug in Mailman version 2.1.29 We're sorry, we hit a bug! So no when trying to log in to the ~/mailman/admindb/mailman admin page I get the below error, notice it’s a different permission problem: Jul 24 13:41:51 2019 admin(5113): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(5113): [----- Mailman Version: 2.1.29 -----] admin(5113): [----- Traceback ------] admin(5113): Traceback (most recent call last): admin(5113): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(5113): main() admin(5113): File "/usr/lib/mailman/Mailman/Cgi/admindb.py", line 345, in main admin(5113): mlist.Save() admin(5113): File "/usr/lib/mailman/Mailman/MailList.py", line 613, in Save admin(5113): self.__save(dict) admin(5113): File "/usr/lib/mailman/Mailman/MailList.py", line 590, in __save admin(5113): os.link(fname, fname_last) admin(5113): OSError: [Errno 1] Operation not permitted admin(5113): [----- Python Information -----] admin(5113): sys.version = 2.7.16 (default, Apr 30 2019, 15:54:43) [GCC 9.0.1 20190312 (Red Hat 9.0.1-0.10)] admin(5113): sys.executable = /usr/bin/python2 admin(5113): sys.prefix = /usr admin(5113): sys.exec_prefix = /usr admin(5113): sys.path = ['/usr/lib/mailman/pythonlib', '/usr/lib/mailman', '/usr/lib/mailman/scripts', '/usr/lib/mailman', '/usr/lib/python27.zip', '/usr/lib64/python2.7', '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/dist-packages'] admin(5113): sys.platform = linux2 admin(5113): [----- Environment Variables -----] admin(5113): CONTENT_LENGTH: 38 admin(5113): HTTPS: on admin(5113): HTTP_COOKIE: admin(5113): SERVER_NAME: admin(5113): SERVER_PROTOCOL: HTTP/1.1 admin(5113): PYTHONPATH: /usr/lib/mailman admin(5113): REMOTE_ADDR: 150.108.68.30 admin(5113): REQUEST_SCHEME: https admin(5113): SCRIPT_NAME: /mailman/admindb admin(5113): REQUEST_METHOD: POST admin(5113): SERVER_PORT: 443 admin(5113): HTTP_HOST: admin(5113): PATH_INFO: /mailman admin(5113): CONTENT_TYPE: application/x-www-form-urlencoded admin(5113): REMOTE_PORT: 55467 admin(5113): QUERY_STRING: admin(5113): REQUEST_URI: /mailman/admindb/mailman admin(5113): DOCUMENT_ROOT: /var/www/html
On 7/24/19 10:44 AM, Robert Kudyba wrote:
So no when trying to log in to the ~/mailman/admindb/mailman admin page I get the below error, notice it’s a different permission problem:
Jul 24 13:41:51 2019 admin(5113): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(5113): [----- Mailman Version: 2.1.29 -----] admin(5113): [----- Traceback ------] admin(5113): Traceback (most recent call last): admin(5113): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(5113): main() admin(5113): File "/usr/lib/mailman/Mailman/Cgi/admindb.py", line 345, in main admin(5113): mlist.Save() admin(5113): File "/usr/lib/mailman/Mailman/MailList.py", line 613, in Save admin(5113): self.__save(dict) admin(5113): File "/usr/lib/mailman/Mailman/MailList.py", line 590, in __save admin(5113): os.link(fname, fname_last) admin(5113): OSError: [Errno 1] Operation not permitted
the admindb script is trying to save the list to do this, it first creates a temporary config.pck.tmp.hhh.ppp file there hhh is the host name and ppp is the PID of the process and writes the data to that. It then unlinks (removes) config.pck.last, links config.pck to config.pck.last and finally renames config.pck.tmp.hhh.ppp to config.pck. In your case it is the linking of config.pck to config.pck.last that is failing. All these files should be group 'mailman' and group writable and the process should be running with effective group 'mailman'. Did you see my reply about the file system needing to be mounted suid? -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Jul 24, 2019, at 2:04 PM, Mark Sapiro <mark@msapiro.net> wrote:
On 7/24/19 10:44 AM, Robert Kudyba wrote:
So no when trying to log in to the ~/mailman/admindb/mailman admin page I get the below error, notice it’s a different permission problem:
Jul 24 13:41:51 2019 admin(5113): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(5113): [----- Mailman Version: 2.1.29 -----] admin(5113): [----- Traceback ------] admin(5113): Traceback (most recent call last): admin(5113): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(5113): main() admin(5113): File "/usr/lib/mailman/Mailman/Cgi/admindb.py", line 345, in main admin(5113): mlist.Save() admin(5113): File "/usr/lib/mailman/Mailman/MailList.py", line 613, in Save admin(5113): self.__save(dict) admin(5113): File "/usr/lib/mailman/Mailman/MailList.py", line 590, in __save admin(5113): os.link(fname, fname_last) admin(5113): OSError: [Errno 1] Operation not permitted
the admindb script is trying to save the list to do this, it first creates a temporary config.pck.tmp.hhh.ppp file there hhh is the host name and ppp is the PID of the process and writes the data to that. It then unlinks (removes) config.pck.last, links config.pck to config.pck.last and finally renames config.pck.tmp.hhh.ppp to config.pck.
In your case it is the linking of config.pck to config.pck.last that is failing.
All these files should be group 'mailman' and group writable and the process should be running with effective group 'mailman’.
By “these files” do you mean in /usr/lib/mailman? Those definitely did not have group write permissions. Do these files also need suid?
Did you see my reply about the file system needing to be mounted suid?
Yes I did an responded in line with the permissions of the sub-directories and files: ls -l /usr/lib/mailman/cgi-bin/ total 264 -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 admin -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 admindb -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 confirm -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 create -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 edithtml -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 listinfo -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 options -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 private -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 rmlist -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 roster -rwxr-sr-x 1 mailman mailman 23056 Feb 12 06:54 subscribe ls -l /usr/lib/mailman/mail total 24 -rwxr-sr-x 1 mailman mailman 23176 Feb 12 06:54 mailman ls -l /usr/lib/mailman/mail/ total 24 -rwxr-sr-x 1 mailman mailman 23176 Feb 12 06:54 mailman ls -l /usr/lib/mailman/mail/mailman -rwxr-sr-x 1 mailman mailman 23176 Feb 12 06:54 /usr/lib/mailman/mail/mailman
On 7/24/19 11:28 AM, Robert Kudyba wrote:
All these files should be group 'mailman' and group writable and the process should be running with effective group 'mailman’.
By “these files” do you mean in /usr/lib/mailman? Those definitely did not have group write permissions. Do these files also need suid?
I mean the ones which I think in your case are in /var/lib/mailman. Those are the ones that need to be writable by the 'mailman' group. The ones in /usr/lib/mailman only need to be readable.
Did you see my reply about the file system needing to be mounted suid?
Yes I did an responded in line with the permissions of the sub-directories and files: ls -l /usr/lib/mailman/cgi-bin/ total 264 -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 admin ...
I'm not talking about the SETGID bit on the file mode. I'm talking about
the mount command that mounts the file system that contains
/usr/lib/mailman. look in /etc/fstab. The options field should not have
'nosuid'.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Did you see my reply about the file system needing to be mounted suid?
Yes I did an responded in line with the permissions of the sub-directories and files: ls -l /usr/lib/mailman/cgi-bin/ total 264 -rwxr-sr-x 1 mailman mailman 23048 Feb 12 06:54 admin ...
I'm not talking about the SETGID bit on the file mode. I'm talking about the
mountcommand that mounts the file system that contains /usr/lib/mailman. look in /etc/fstab. The options field should not have 'nosuid’.
/dev/mapper/fedora_newdsm-root / xfs defaults 0 0 UUID=d526e70e-89b1-4029-bfb1-db2e50d622fe /boot ext4 defaults 1 2 /dev/mapper/fedora_newdsm-home /home xfs defaults 0 0 /dev/mapper/fedora_newdsm-var /var xfs defaults 0 0 /dev/mapper/fedora_newdsm-swap swap swap defaults 0 0
This did work a few weeks ago not sure when it started perhaps when dnf updated June 30.
And now qrunner is failing to start: Jul 24 14:36:50 2019 (14350) Qrunner RetryRunner reached maximum restart limit of 10, not restarting. Jul 24 14:36:50 2019 (14350) Master qrunner detected subprocess exit (pid: 14438, sig: None, sts: 1, class: IncomingRunner, slice: 1/1) [restarting] Jul 24 14:36:50 2019 (14350) Qrunner IncomingRunner reached maximum restart limit of 10, not restarting.
systemctl start mailman [root@dsm ~]# systemctl status mailman ● mailman.service - GNU Mailing List Manager Loaded: loaded (/usr/lib/systemd/system/mailman.service; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2019-07-24 15:12:09 EDT; 7s ago Process: 20102 ExecStartPre= (code=exited, status=0/SUCCESS) Process: 20103 ExecStartPre=/usr/bin/install -m644 -o mailman -g mailman /usr/lib/mailman/cron/crontab.in /etc/cron.d/mailman (code=exited, status=0/SUCCESS) Process: 20104 ExecStartPre=/bin/touch /var/log/mailman/error (code=exited, status=0/SUCCESS) Process: 20105 ExecStartPre=/bin/chown mailman:mailman /var/log/mailman/error (code=exited, status=0/SUCCESS) Process: 20106 ExecStartPre=/bin/chmod 666 /var/log/mailman/error (code=exited, status=0/SUCCESS) Process: 20107 ExecStart=/usr/lib/mailman/bin/mailmanctl -s start (code=exited, status=0/SUCCESS) Process: 20201 ExecStop=/usr/lib/mailman/bin/mailman-update-cfg (code=exited, status=0/SUCCESS) Process: 20202 ExecStop=/usr/lib/mailman/bin/mailmanctl stop (code=exited, status=0/SUCCESS) Process: 20203 ExecStop=/bin/sh -c echo -e "# DO NOT EDIT THIS FILE! # # Contents of this file managed by /etc/init.d/mailman # Master copy is /usr/lib/mailman/cron/crontab.in" > /etc/cron.d/mailman (code=exited, status=0/SUCCESS) Main PID: 20112 (code=exited, status=0/SUCCESS)
Jul 24 15:12:08 ourdomain systemd[1]: Starting GNU Mailing List Manager... Jul 24 15:12:08 ourdomain mailmanctl[20107]: Starting Mailman's master qrunner. Jul 24 15:12:08 ourdomain systemd[1]: Started GNU Mailing List Manager. Jul 24 15:12:09 ourdomain mailmanctl[20202]: No child with pid: 20112 Jul 24 15:12:09 ourdomain mailmanctl[20202]: [Errno 3] No such process Jul 24 15:12:09 ourdomain mailmanctl[20202]: Stale pid file removed. Jul 24 15:12:09 ourdomain mailmanctl[20202]: Shutting down Mailman's master qrunner Jul 24 15:12:09 ourdomain systemd[1]: mailman.service: Succeeded.
Also you mentioned you didn’t know what this file was: cat /usr/lib/mailman/bin/mailman-update-cfg #!/usr/bin/python2
# This script is needed, when SELinux is enabled: # mailman_mail_t context cannot write to the directory # /usr/lib/mailman/Mailman so when you change mm_cfg.py, # mailman cannot create the .pyc # # This script is called in the init script, which is run in unconfined_t # so the .pyc is created and the AVC denial is avoided. (bz#481446)
import py_compile
py_compile.compile("/usr/lib/mailman/Mailman/mm_cfg.py")
On 7/24/19 12:14 PM, Robert Kudyba wrote:
This did work a few weeks ago not sure when it started perhaps when dnf updated June 30.
And now qrunner is failing to start: Jul 24 14:36:50 2019 (14350) Qrunner RetryRunner reached maximum restart limit of 10, not restarting. Jul 24 14:36:50 2019 (14350) Master qrunner detected subprocess exit (pid: 14438, sig: None, sts: 1, class: IncomingRunner, slice: 1/1) [restarting] Jul 24 14:36:50 2019 (14350) Qrunner IncomingRunner reached maximum restart limit of 10, not restarting.
There should be messages in Mailman's error and qrunner logs about this, but the qrunners should be running as user:group mailman:mailman so none of the setgid stuff should affect that.
I don't think I can be of further help here. mailmanctl should be ensuring that the qrunners are running as user:group mailman:mailman and the setgid bits (if honored) should ensure that the CGIs and mail delivery are all running as group mailman and the mailman group should have permission to read (and where necessary, write) these files.
I do not know why this isn't working in your case. Perhaps you should ask RedHat.
Also you mentioned you didn’t know what this file was: cat /usr/lib/mailman/bin/mailman-update-cfg #!/usr/bin/python2
# This script is needed, when SELinux is enabled: # mailman_mail_t context cannot write to the directory # /usr/lib/mailman/Mailman so when you change mm_cfg.py, # mailman cannot create the .pyc # # This script is called in the init script, which is run in unconfined_t # so the .pyc is created and the AVC denial is avoided. (bz#481446)
import py_compile
py_compile.compile("/usr/lib/mailman/Mailman/mm_cfg.py")
So it is part of the RedHat package.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
This did work a few weeks ago not sure when it started perhaps when dnf updated June 30.
And now qrunner is failing to start: Jul 24 14:36:50 2019 (14350) Qrunner RetryRunner reached maximum restart limit of 10, not restarting. Jul 24 14:36:50 2019 (14350) Master qrunner detected subprocess exit (pid: 14438, sig: None, sts: 1, class: IncomingRunner, slice: 1/1) [restarting] Jul 24 14:36:50 2019 (14350) Qrunner IncomingRunner reached maximum restart limit of 10, not restarting.
There should be messages in Mailman's error and qrunner logs about this, but the qrunners should be running as user:group mailman:mailman so none of the setgid stuff should affect that.
Yes bottom of /var/log/mailman/qrunner: Jul 24 15:32:36 2019 (23332) Master qrunner detected subprocess exit (pid: 23416, sig: None, sts: 1, class: ArchRunner, slice: 1/1) [restarting] Jul 24 15:32:36 2019 (23332) Qrunner ArchRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23415, sig: None, sts: 1, class: BounceRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner BounceRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23413, sig: None, sts: 1, class: NewsRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner NewsRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23414, sig: None, sts: 1, class: IncomingRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner IncomingRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23417, sig: None, sts: 1, class: OutgoingRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner OutgoingRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23418, sig: None, sts: 1, class: CommandRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner CommandRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23419, sig: None, sts: 1, class: VirginRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner VirginRunner reached maximum restart limit of 10, not restarting. Jul 24 15:32:37 2019 (23332) Master qrunner detected subprocess exit (pid: 23420, sig: None, sts: 1, class: RetryRunner, slice: 1/1) [restarting] Jul 24 15:32:37 2019 (23332) Qrunner RetryRunner reached maximum restart limit of 10, not restarting.
And /var/log/mailman/error: Jul 24 15:30:38 2019 mailmanctl(23038): [Errno 3] No such process Jul 24 15:30:38 2019 mailmanctl(23038): Stale pid file removed. Jul 24 15:32:37 2019 mailmanctl(23422): No child with pid: 23332 Jul 24 15:32:37 2019 mailmanctl(23422): [Errno 3] No such process Jul 24 15:32:37 2019 mailmanctl(23422): Stale pid file removed.
It’s as if mailman is trying to stop a process that does not exist. I see some very old threads that you’ve replied to for this like: https://grokbase.com/t/python/mailman-users/0722q1bmpb/mail-stuck-in-qfiles-... <https://grokbase.com/t/python/mailman-users/0722q1bmpb/mail-stuck-in-qfiles-...>
/var/log/httpd/ssl_error_log: [Wed Jul 24 15:36:38.985638 2019] [ssl:info] [pid 13742:tid 139746600797952] [client 150.108.68.30:56795] AH01964: Connection to child 208 established (server ourserver:443) [Wed Jul 24 15:36:38.985818 2019] [ssl:info] [pid 13742:tid 139746483365632] [client 150.108.68.30:56796] AH01964: Connection to child 212 established (server ourserver:443) [Wed Jul 24 15:36:39.027877 2019] [core:error] [pid 13742:tid 139746600797952] (104)Connection reset by peer: [client myipaddress:56795] AH00574: ap_content_length_filter: apr_bucket_read() failed, referer: https://ourdomain/mailman/admindb/mailman
On 7/24/19 12:39 PM, Robert Kudyba wrote:
And /var/log/mailman/error: Jul 24 15:30:38 2019 mailmanctl(23038): [Errno 3] No such process Jul 24 15:30:38 2019 mailmanctl(23038): Stale pid file removed. Jul 24 15:32:37 2019 mailmanctl(23422): No child with pid: 23332 Jul 24 15:32:37 2019 mailmanctl(23422): [Errno 3] No such process Jul 24 15:32:37 2019 mailmanctl(23422): Stale pid file removed.
It’s as if mailman is trying to stop a process that does not exist.
Those are probably irrelevant in your case. The interesting stuff about the qrunner failures isn't there, probably because of permission issues.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
OK a new error. Could this be a python version issue? https://mailman-users.python.narkive.com/UxwiPAK0/installation-problem <https://mailman-users.python.narkive.com/UxwiPAK0/installation-problem>
ImportError: No module named Logging.StampedLogger [----- Python Information -----] sys.version = 2.7.16 (default, Apr 30 2019, 15:54:43) [GCC 9.0.1 20190312 (Red Hat 9.0.1-0.10)] sys.executable = /usr/bin/python2 sys.prefix = /usr sys.exec_prefix = /usr sys.path = ['/usr/lib/mailman/pythonlib', '/usr/lib/mailman', '/usr/lib/mailman/scripts', '/usr/lib/mailman', '/usr/lib/python27.zip', '/usr/lib64/python2.7', '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/dist-packages'] sys.platform = linux2 [----- Environment Variables -----] SERVER_NAME: ourdomain HTTPS: on HTTP_COOKIE: _gcl_au=1.1.1550343875.1556727714; _ga=GA1.2.1132552280.1556727715; _fbp=fb.1.1556727714883.1881292469; __utmz=239634460.1558015295.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=239634460.1132552280.1556727715.1560871178.1561057020.5; _gid=GA1.2.2016421306.1563974108 REMOTE_ADDR: 150.108.68.30 PYTHONPATH: /usr/lib/mailman REMOTE_PORT: 56911 REQUEST_SCHEME: https SCRIPT_NAME: /mailman/listinfo REQUEST_METHOD: GET HTTP_HOST: www.dsm.fordham.edu SERVER_PORT: 443 SERVER_PROTOCOL: HTTP/1.1 QUERY_STRING: REQUEST_URI: /mailman/listinfo DOCUMENT_ROOT: /var/www/html
I’m getting some where here. First Apache httpd runs as user:apache: ps -auwx|grep httpd apache 4765 0.0 0.0 48708 23972 ? S 16:46 0:00 /usr/sbin/httpd -DFOREGROUND apache 4766 0.0 0.0 2548332 31472 ? Sl 16:46 0:00 /usr/sbin/httpd -DFOREGROUND apache 4768 0.0 0.0 2351528 31868 ? Sl 16:46 0:00 /usr/sbin/httpd -DFOREGROUND apache 4775 0.0 0.0 2351528 32504 ? Sl 16:46 0:00 /usr/sbin/httpd -DFOREGROUND apache 5003 0.0 0.0 2351528 32304 ? Sl 16:46 0:00 /usr/sbin/httpd -DFOREGROUND
ps -auwx |grep mailman mailman 5956 0.0 0.0 267152 38892 ? Ss 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/mailmanctl -s start mailman 5957 0.0 0.0 236672 20100 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s mailman 5958 0.0 0.0 236676 19732 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s mailman 5959 0.0 0.0 236584 20076 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s mailman 5960 0.0 0.0 236588 20044 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s mailman 5961 0.0 0.0 236688 20048 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s mailman 5962 0.0 0.0 236548 19992 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s mailman 5963 0.0 0.0 236548 20112 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s mailman 5964 0.0 0.0 236584 20116 ? S 16:51 0:00 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
systemctl status mailman ● mailman.service - GNU Mailing List Manager Loaded: loaded (/usr/lib/systemd/system/mailman.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2019-07-24 16:51:51 EDT; 6min ago Process: 5948 ExecStartPre=/usr/lib/mailman/bin/mailman-update-cfg (code=exited, status=0/SUCCESS) Process: 5951 ExecStartPre=/usr/bin/install -m644 -o mailman -g mailman /usr/lib/mailman/cron/crontab.in /etc/cron.d/mailman (code=exited, status=0/SUCCESS) Process: 5952 ExecStartPre=/bin/touch /var/log/mailman/error (code=exited, status=0/SUCCESS) Process: 5953 ExecStartPre=/bin/chown mailman:mailman /var/log/mailman/error (code=exited, status=0/SUCCESS) Process: 5954 ExecStartPre=/bin/chmod 666 /var/log/mailman/error (code=exited, status=0/SUCCESS) Process: 5955 ExecStart=/usr/lib/mailman/bin/mailmanctl -s start (code=exited, status=0/SUCCESS) Main PID: 5956 (mailmanctl) Tasks: 9 (limit: 4915) Memory: 128.6M CGroup: /system.slice/mailman.service ├─5956 /usr/bin/python2 /usr/lib/mailman/bin/mailmanctl -s start ├─5957 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s ├─5958 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s ├─5959 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s ├─5960 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s ├─5961 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s ├─5962 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s ├─5963 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s └─5964 /usr/bin/python2 /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
Jul 24 16:51:51 our domain systemd[1]: Starting GNU Mailing List Manager... Jul 24 16:51:51 our domain mailmanctl[5955]: Starting Mailman's master qrunner. Jul 24 16:51:51 our domain systemd[1]: Started GNU Mailing List Manager.
Now I see these files, and look at the owner: ls -lt /var/lib/mailman/lists/mailman/ total 184 -rw-rw---- 1 apache mailman 4352 Jul 24 16:55 config.pck -rw-rw---- 1 apache mailman 4352 Jul 24 16:55 config.pck.last -rw-rw---- 1 apache mailman 22949 Jul 24 16:54 request.pck -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:51 config.pck.tmp.dsm.dsm.fordham.edu.5850 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:47 config.pck.tmp.dsm.dsm.fordham.edu.5342 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:46 config.pck.tmp.dsm.dsm.fordham.edu.5002 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:38 config.pck.tmp.dsm.dsm.fordham.edu.3609 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:34 config.pck.tmp.dsm.dsm.fordham.edu.2986 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:32 config.pck.tmp.dsm.dsm.fordham.edu.2727 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 13:41 config.pck.tmp.dsm.dsm.fordham.edu.5113 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:58 config.pck.tmp.dsm.dsm.fordham.edu.22328 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:40 config.pck.tmp.dsm.dsm.fordham.edu.19790 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:29 config.pck.tmp.dsm.dsm.fordham.edu.13505 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:25 config.pck.tmp.dsm.dsm.fordham.edu.15335 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:23 config.pck.tmp.dsm.dsm.fordham.edu.14826 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:23 config.pck.tmp.dsm.dsm.fordham.edu.14771 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 10:03 config.pck.tmp.dsm.dsm.fordham.edu.22176 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 10:01 config.pck.tmp.dsm.dsm.fordham.edu.22179 -rw-rw-rw- 1 mailman mailman 3122 Jul 24 10:01 pending.pck -rw-rw-rw- 1 mailman mailman 4350 Jul 24 09:00 config.pck.tmp.dsm.dsm.fordham.edu.6326 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 09:00 config.pck.tmp.dsm.dsm.fordham.edu.6329 -rw-rw-rw- 1 mailman mailman 2438 Jul 23 08:51 digest.mbox
Whenever I am in the admin page the 1st 3 files get changed to user:apache.
Is there perhaps something in the .service file that I need to change? cat /usr/lib/systemd/system/mailman.service [Unit] Description=GNU Mailing List Manager After=syslog.target network.target
[Service] ExecStartPre=/usr/lib/mailman/bin/mailman-update-cfg ExecStartPre=/usr/bin/install -m644 -o mailman -g mailman /usr/lib/mailman/cron/crontab.in /etc/cron.d/mailman ExecStartPre=/bin/touch /var/log/mailman/error ExecStartPre=/bin/chown mailman:mailman /var/log/mailman/error ExecStartPre=/bin/chmod 666 /var/log/mailman/error ExecStart=/usr/lib/mailman/bin/mailmanctl -s start ExecReload=/usr/lib/mailman/bin/mailmanctl restart ExecStop=/usr/lib/mailman/bin/mailman-update-cfg ExecStop=/usr/lib/mailman/bin/mailmanctl stop ExecStop=/bin/sh -c 'echo -e "# DO NOT EDIT THIS FILE!\n#\n# Contents of this file managed by /etc/init.d/mailman\n# Master copy is /usr/lib/mailman/cron/crontab.in" > /etc/cron.d/mailman' Type=forking
[Install] WantedBy=multi-user.target
Does the user NEED to be the same as who Apache runs as?
On 7/24/19 1:59 PM, Robert Kudyba wrote:
I’m getting some where here. First Apache httpd runs as user:apache:
Right.
Now I see these files, and look at the owner: ls -lt /var/lib/mailman/lists/mailman/ total 184 -rw-rw---- 1 apache mailman 4352 Jul 24 16:55 config.pck -rw-rw---- 1 apache mailman 4352 Jul 24 16:55 config.pck.last -rw-rw---- 1 apache mailman 22949 Jul 24 16:54 request.pck -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:51 config.pck.tmp.dsm.dsm.fordham.edu.5850 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:47 config.pck.tmp.dsm.dsm.fordham.edu.5342 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:46 config.pck.tmp.dsm.dsm.fordham.edu.5002 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:38 config.pck.tmp.dsm.dsm.fordham.edu.3609 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:34 config.pck.tmp.dsm.dsm.fordham.edu.2986 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:32 config.pck.tmp.dsm.dsm.fordham.edu.2727 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 13:41 config.pck.tmp.dsm.dsm.fordham.edu.5113 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:58 config.pck.tmp.dsm.dsm.fordham.edu.22328 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:40 config.pck.tmp.dsm.dsm.fordham.edu.19790 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:29 config.pck.tmp.dsm.dsm.fordham.edu.13505 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:25 config.pck.tmp.dsm.dsm.fordham.edu.15335 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:23 config.pck.tmp.dsm.dsm.fordham.edu.14826 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:23 config.pck.tmp.dsm.dsm.fordham.edu.14771 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 10:03 config.pck.tmp.dsm.dsm.fordham.edu.22176 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 10:01 config.pck.tmp.dsm.dsm.fordham.edu.22179 -rw-rw-rw- 1 mailman mailman 3122 Jul 24 10:01 pending.pck -rw-rw-rw- 1 mailman mailman 4350 Jul 24 09:00 config.pck.tmp.dsm.dsm.fordham.edu.6326 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 09:00 config.pck.tmp.dsm.dsm.fordham.edu.6329 -rw-rw-rw- 1 mailman mailman 2438 Jul 23 08:51 digest.mbox
Whenever I am in the admin page the 1st 3 files get changed to user:apache.
This is all as it should be.
Note that all the config.pck.tmp.dsm.dsm.fordham.edu.pppp files are left from when the linking of config.pck to config.pck.last failed as described at <https://mail.python.org/pipermail/mailman-users/2019-July/084590.html>. They can be removed.
The owner of these files doesn't matter. It is the mailman group that matters. When apache saves a list, it is running as user:group apache:mailman. This is how the files get created. It is the mailman group and its permissions that allow this. When a qrunner saves a list it is running as mailman:mailman and the created files have that user:group. When a web CGI saves a list it is running as apache:mailman and the created files have that user:group.
This is all expected and it is the group permissions that allow the operations.
Is there perhaps something in the .service file that I need to change? cat /usr/lib/systemd/system/mailman.service [Unit] Description=GNU Mailing List Manager After=syslog.target network.target
[Service] ExecStartPre=/usr/lib/mailman/bin/mailman-update-cfg
Ask RedHat about this one.
ExecStartPre=/usr/bin/install -m644 -o mailman -g mailman /usr/lib/mailman/cron/crontab.in /etc/cron.d/mailman
This is also a RedHat thing.
ExecStartPre=/bin/touch /var/log/mailman/error ExecStartPre=/bin/chown mailman:mailman /var/log/mailman/error ExecStartPre=/bin/chmod 666 /var/log/mailman/error
The above should not be necessary at all.
ExecStart=/usr/lib/mailman/bin/mailmanctl -s start ExecReload=/usr/lib/mailman/bin/mailmanctl restart ExecStop=/usr/lib/mailman/bin/mailman-update-cfg ExecStop=/usr/lib/mailman/bin/mailmanctl stop ExecStop=/bin/sh -c 'echo -e "# DO NOT EDIT THIS FILE!\n#\n# Contents of this file managed by /etc/init.d/mailman\n# Master copy is /usr/lib/mailman/cron/crontab.in" > /etc/cron.d/mailman' Type=forking
[Install] WantedBy=multi-user.target
Does the user NEED to be the same as who Apache runs as?
No. the group has to be mailman. the user is irrelevant.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
OK almost there. I can get into the admin however for each list, I am still getting permission errors. Here are the current perms: ls -l /var/lib/mailman/lists/datastr total 32 -rw-rw-rw- 1 mailman mailman 9250 Jul 23 14:15 config.pck -rw-rw-rw- 1 mailman mailman 9250 Jul 23 09:00 config.pck.last -rw-rw-rw- 1 mailman mailman 130 Mar 31 2016 pending.pck -rw-rw-rw- 1 mailman mailman 20 Apr 1 2016 request.pck ls -ld /var/lib/mailman/lists/datastr drwxrwsr-x 2 mailman mailman 85 Jul 23 14:15 /var/lib/mailman/lists/datastr ls -ld /var/lib/mailman/lists/ drwxrwsr-x 25 mailman mailman 4096 Feb 12 06:53 /var/lib/mailman/lists/ ls -ld /var/lib/mailman/ drwxrwsr-x 6 root mailman 59 Feb 12 06:53 /var/lib/mailman/ So the below tmp file cannot write into the directory. Jul 25 10:45:29 2019 (10878) Failed config.pck write, retaining old state. [Errno 13] Permission denied: '/var/lib/mailman/lists/datastr/config.pck.tmp.ourdomain.edu.10878' Jul 25 10:45:29 2019 admin(10878): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(10878): [----- Mailman Version: 2.1.29 -----] admin(10878): [----- Traceback ------] admin(10878): Traceback (most recent call last): admin(10878): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(10878): main() admin(10878): File "/usr/lib/mailman/Mailman/Cgi/admin.py", line 250, in main admin(10878): mlist.Save() admin(10878): File "/usr/lib/mailman/Mailman/MailList.py", line 613, in Save admin(10878): self.__save(dict) admin(10878): File "/usr/lib/mailman/Mailman/MailList.py", line 568, in __save admin(10878): fp = open(fname_tmp, 'w') admin(10878): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/datastr/config.pck.tmp.ourdomain.edu.10878' admin(10878): [----- Python Information -----] admin(10878): sys.version = 2.7.16 (default, Apr 30 2019, 15:54:43) [GCC 9.0.1 20190312 (Red Hat 9.0.1-0.10)] admin(10878): sys.executable = /usr/bin/python2 admin(10878): sys.prefix = /usr admin(10878): sys.exec_prefix = /usr admin(10878): sys.path = ['/usr/lib/mailman/pythonlib', '/usr/lib/mailman', '/usr/lib/mailman/scripts', '/usr/lib/mailman', '/usr/lib/python27.zip', '/usr/lib64/python2.7', '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/dist-packages'] admin(10878): sys.platform = linux2 admin(10878): [----- Environment Variables -----] admin(10878): CONTENT_LENGTH: 38 admin(10878): HTTPS: on admin(10878): HTTP_COOKIE: admin(10878): SERVER_NAME: ourdomain.edu admin(10878): SERVER_PROTOCOL: HTTP/1.1 admin(10878): PYTHONPATH: /usr/lib/mailman admin(10878): REMOTE_ADDR: myip admin(10878): REQUEST_SCHEME: https admin(10878): SCRIPT_NAME: /mailman/admin admin(10878): REQUEST_METHOD: POST admin(10878): SERVER_PORT: 443 admin(10878): HTTP_HOST: ourdomain.edu admin(10878): PATH_INFO: /datastr admin(10878): CONTENT_TYPE: application/x-www-form-urlencoded admin(10878): REMOTE_PORT: 53063 admin(10878): QUERY_STRING: admin(10878): REQUEST_URI: /mailman/admin/datastr admin(10878): DOCUMENT_ROOT: /var/www/html Isn't this similar to my other issue? I believe the user "apache" needs to write that tmp file? On Wed, Jul 24, 2019 at 5:29 PM Mark Sapiro <mark@msapiro.net> wrote:
On 7/24/19 1:59 PM, Robert Kudyba wrote:
I’m getting some where here. First Apache httpd runs as user:apache:
Right.
Now I see these files, and look at the owner: ls -lt /var/lib/mailman/lists/mailman/ total 184 -rw-rw---- 1 apache mailman 4352 Jul 24 16:55 config.pck -rw-rw---- 1 apache mailman 4352 Jul 24 16:55 config.pck.last -rw-rw---- 1 apache mailman 22949 Jul 24 16:54 request.pck -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:51 config.pck.tmp.dsm.dsm.fordham.edu.5850 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:47 config.pck.tmp.dsm.dsm.fordham.edu.5342 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:46 config.pck.tmp.dsm.dsm.fordham.edu.5002 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:38 config.pck.tmp.dsm.dsm.fordham.edu.3609 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:34 config.pck.tmp.dsm.dsm.fordham.edu.2986 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 16:32 config.pck.tmp.dsm.dsm.fordham.edu.2727 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 13:41 config.pck.tmp.dsm.dsm.fordham.edu.5113 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:58 config.pck.tmp.dsm.dsm.fordham.edu.22328 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:40 config.pck.tmp.dsm.dsm.fordham.edu.19790 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:29 config.pck.tmp.dsm.dsm.fordham.edu.13505 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:25 config.pck.tmp.dsm.dsm.fordham.edu.15335 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:23 config.pck.tmp.dsm.dsm.fordham.edu.14826 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 11:23 config.pck.tmp.dsm.dsm.fordham.edu.14771 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 10:03 config.pck.tmp.dsm.dsm.fordham.edu.22176 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 10:01 config.pck.tmp.dsm.dsm.fordham.edu.22179 -rw-rw-rw- 1 mailman mailman 3122 Jul 24 10:01 pending.pck -rw-rw-rw- 1 mailman mailman 4350 Jul 24 09:00 config.pck.tmp.dsm.dsm.fordham.edu.6326 -rw-rw-rw- 1 mailman mailman 4350 Jul 24 09:00 config.pck.tmp.dsm.dsm.fordham.edu.6329 -rw-rw-rw- 1 mailman mailman 2438 Jul 23 08:51 digest.mbox
Whenever I am in the admin page the 1st 3 files get changed to user:apache.
This is all as it should be.
Note that all the config.pck.tmp.dsm.dsm.fordham.edu.pppp files are left from when the linking of config.pck to config.pck.last failed as described at < https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.python.org_pipermail_mailman-2Dusers_2019-2DJuly_084590.html&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=JvRbH7r1X3n_UdN-IMTBhvNQDRPRJROtIHc74SwT2Jo&s=YN5-7P2QO-rJTSkNK0pyd-OoThRTFjU62JO756bVJo8&e=
. They can be removed.
The owner of these files doesn't matter. It is the mailman group that matters. When apache saves a list, it is running as user:group apache:mailman. This is how the files get created. It is the mailman group and its permissions that allow this. When a qrunner saves a list it is running as mailman:mailman and the created files have that user:group. When a web CGI saves a list it is running as apache:mailman and the created files have that user:group.
This is all expected and it is the group permissions that allow the operations.
Is there perhaps something in the .service file that I need to change? cat /usr/lib/systemd/system/mailman.service [Unit] Description=GNU Mailing List Manager After=syslog.target network.target
[Service] ExecStartPre=/usr/lib/mailman/bin/mailman-update-cfg
Ask RedHat about this one.
ExecStartPre=/usr/bin/install -m644 -o mailman -g mailman /usr/lib/mailman/cron/crontab.in /etc/cron.d/mailman
This is also a RedHat thing.
ExecStartPre=/bin/touch /var/log/mailman/error ExecStartPre=/bin/chown mailman:mailman /var/log/mailman/error ExecStartPre=/bin/chmod 666 /var/log/mailman/error
The above should not be necessary at all.
ExecStart=/usr/lib/mailman/bin/mailmanctl -s start ExecReload=/usr/lib/mailman/bin/mailmanctl restart ExecStop=/usr/lib/mailman/bin/mailman-update-cfg ExecStop=/usr/lib/mailman/bin/mailmanctl stop ExecStop=/bin/sh -c 'echo -e "# DO NOT EDIT THIS FILE!\n#\n# Contents of this file managed by /etc/init.d/mailman\n# Master copy is /usr/lib/mailman/cron/crontab.in" > /etc/cron.d/mailman' Type=forking
[Install] WantedBy=multi-user.target
Does the user NEED to be the same as who Apache runs as?
No. the group has to be mailman. the user is irrelevant.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.python.org_mailman_listinfo_mailman-2Dusers&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=JvRbH7r1X3n_UdN-IMTBhvNQDRPRJROtIHc74SwT2Jo&s=1zwOlne7LsMUz3UiVKxB9NeBsI1pEV9eUuxQQ5L0_zY&e= Mailman FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__wiki.list.org_x_AgA3&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=JvRbH7r1X3n_UdN-IMTBhvNQDRPRJROtIHc74SwT2Jo&s=pZjNHSUfy8LUmXE8tsm1kwXiYl7XqqwkkRzzV4LQeJE&e= Security Policy: https://urldefense.proofpoint.com/v2/url?u=http-3A__wiki.list.org_x_QIA9&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=JvRbH7r1X3n_UdN-IMTBhvNQDRPRJROtIHc74SwT2Jo&s=5kXYMZmAVrdvkYduBzBykS8wgAYbQpwmNbO1WIqdPak&e= Searchable Archives: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mail-2Darchive.com_mailman-2Dusers-2540python.org_&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=JvRbH7r1X3n_UdN-IMTBhvNQDRPRJROtIHc74SwT2Jo&s=t1mMHU9K2bHneljt0LaxcPYD2UshKR8zxauH511Zn78&e= Unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.python.org_mailman_options_mailman-2Dusers_rkudyba-2540fordham.edu&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=JvRbH7r1X3n_UdN-IMTBhvNQDRPRJROtIHc74SwT2Jo&s=xFUyyFlbQpESSDnVfWydAz2MwxF6-2c4QMEFV0UyhYo&e=
On 7/25/19 7:50 AM, Robert Kudyba wrote:
OK almost there. I can get into the admin however for each list, I am still getting permission errors.
Here are the current perms: ls -l /var/lib/mailman/lists/datastr total 32 -rw-rw-rw- 1 mailman mailman 9250 Jul 23 14:15 config.pck> -rw-rw-rw- 1 mailman mailman 9250 Jul 23 09:00 config.pck.last -rw-rw-rw- 1 mailman mailman 130 Mar 31 2016 pending.pck -rw-rw-rw- 1 mailman mailman 20 Apr 1 2016 request.pck
The 'other' permissions above should not be needed.
ls -ld /var/lib/mailman/lists/datastr drwxrwsr-x 2 mailman mailman 85 Jul 23 14:15 /var/lib/mailman/lists/datastr
If you make this directory o+w it will solve your problem, but that is the wrong solution.
So the below tmp file cannot write into the directory.
Jul 25 10:45:29 2019 (10878) Failed config.pck write, retaining old state. [Errno 13] Permission denied: '/var/lib/mailman/lists/datastr/config.pck.tmp.ourdomain.edu.10878' Jul 25 10:45:29 2019 admin(10878): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(10878): [----- Mailman Version: 2.1.29 -----] admin(10878): [----- Traceback ------] admin(10878): Traceback (most recent call last): admin(10878): File "/usr/lib/mailman/scripts/driver", line 117, in run_main admin(10878): main() admin(10878): File "/usr/lib/mailman/Mailman/Cgi/admin.py", line 250, in main admin(10878): mlist.Save() admin(10878): File "/usr/lib/mailman/Mailman/MailList.py", line 613, in Save admin(10878): self.__save(dict) admin(10878): File "/usr/lib/mailman/Mailman/MailList.py", line 568, in __save admin(10878): fp = open(fname_tmp, 'w') admin(10878): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/datastr/config.pck.tmp.ourdomain.edu.10878' ... Isn't this similar to my other issue? I believe the user "apache" needs to write that tmp file?
All your issues point to the same thing. The SETGID bit on the /usr/lib/mailman/cgi-bin/ wrappers is not being honored and the CGI processes are not running as effective group 'mailman'. To see the effective group that the CGIs run as, apply the attached patch to /usr/lib/mailman/scripts/driver. This will print the effective group of the process between the Traceback and the Python Information. It should be 'mailman', but I think in your case it won't be. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
To see the effective group that the CGIs run as, apply the attached patch to /usr/lib/mailman/scripts/driver. This will print the effective group of the process between the Traceback and the Python Information. It should be 'mailman', but I think in your case it won't be.
Indeed you are correct:
admin(15157): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/algs-da/config.pck' admin(15157): Process effective group = apache
Where do I change this?
On 7/25/19 11:34 AM, Robert Kudyba wrote:
Indeed you are correct:
admin(15157): IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/algs-da/config.pck' admin(15157): Process effective group = apache
Where do I change this?
As far as I can see, everything you have is as it should be. I.e., the wrappers are group 'mailman' and SETGID and the file system is mounted without 'nosuid'.
Also, manipulating ownership and permissions of config.pck files is not a solution. Because of the way they are updated, changed permissions will be reversed.
This is a Fedora issue of some kind. You will have to contact Fedora.
The only other thing I can suggest is you have the following in /etc/fstab:
/dev/mapper/fedora_newdsm-root / xfs defaults 0 0 UUID=d526e70e-89b1-4029-bfb1-db2e50d622fe /boot ext4 defaults 1 2 /dev/mapper/fedora_newdsm-home /home xfs defaults 0 0 /dev/mapper/fedora_newdsm-var /var xfs defaults 0 0 /dev/mapper/fedora_newdsm-swap swap swap defaults 0 0
It's a stretch, but you might try changing 'defaults' to 'defaults,suid' at least on / and /var in case Fedora changed the default to nosuid.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Also, manipulating ownership and permissions of config.pck files is not a solution. Because of the way they are updated, changed permissions will be reversed.
Yes I'm seeing that.
This is a Fedora issue of some kind. You will have to contact Fedora.
I'll open a bug up at the Bugzilla and reference this thread. I'm surprised noone else has brought this up.
The only other thing I can suggest is you have the following in /etc/fstab:
/dev/mapper/fedora_newdsm-root / xfs defaults 0 0 UUID=d526e70e-89b1-4029-bfb1-db2e50d622fe /boot ext4 defaults 1 2 /dev/mapper/fedora_newdsm-home /home xfs defaults 0 0 /dev/mapper/fedora_newdsm-var /var xfs defaults 0 0 /dev/mapper/fedora_newdsm-swap swap swap defaults 0 0
It's a stretch, but you might try changing 'defaults' to 'defaults,suid' at least on / and /var in case Fedora changed the default to nosuid.
I did that, ran mount -a, restarted httpd and mailman, no difference.
Have you seen the suggestion to use Apache with suexec at https://wiki.list.org/DOC/Apache+Suexec ? My first attempt was unsuccessful, I kept getting: Apache-Error: [file "util_script.c"] [line 497] [level 3] End of script output before headers: listinfo Apache-Handler: cgi-script
Perhaps that's too old, 2010?
On 7/25/19 2:30 PM, Robert Kudyba wrote:
Have you seen the suggestion to use Apache with suexec at https://wiki.list.org/DOC/Apache+Suexec ? My first attempt was unsuccessful
FWIW I could never get suexec to work reliably.
Repartition the drive properly (get rid of LVM), use ext4, mount with "suid", disable selinux, and generally: upgrade your system to centos 6 or alpine if you need the latest kernel.
-- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu
On 7/25/19 12:30 PM, Robert Kudyba wrote:
Have you seen the suggestion to use Apache with suexec at https://wiki.list.org/DOC/Apache+Suexec ? My first attempt was unsuccessful, I kept getting: Apache-Error: [file "util_script.c"] [line 497] [level 3] End of script output before headers: listinfo Apache-Handler: cgi-script
That says the CGI process terminated before producing any output, but that's not too useful by itself. Is there anything else in Apache's logs or Mailman's error log?
We do not recommend using Apache SuEXEC. It is difficult to configure properly. You need to ensure you have addressed all 20 points at <http://httpd.apache.org/docs/current/suexec.html#model>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 7/24/19 12:48 PM, Robert Kudyba wrote:
OK a new error. Could this be a python version issue? https://mailman-users.python.narkive.com/UxwiPAK0/installation-problem <https://mailman-users.python.narkive.com/UxwiPAK0/installation-problem>
This is not a python issue. Logging.StampedLogger is a Mailman module, it should be /usr/lib/Mailman/Logging/StampedLogger.py.
This may be another manifestation of your permissions issues.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Dimitri Maziuk -
Mark Sapiro -
Robert Kudyba