how to run mailman scripts beside being root?
I am running other applications that needs to invoke mailman to create a new list and add a member to the list by calling "newlist" and "add_memebers" as user "tomcat".
I have mailman setup with ownership "root" and group "mailman". So how do I make mailman scripts "newlist" and "add_members" so it can be run as user tomcat? Although the permissions on these scripts are 755 it doesn't allow other user beside root to create a new list or add a member to the list.
So, when I run my application as user tomcat calling these scripts, I get error: Enter the email of the person running the list: jnguyen@test.edu Initial jtest11 password: Traceback (most recent call last): File "./newlist_new", line 254, in ? main() File "./newlist_new", line 196, in main mlist.Create(listname, owner_mail, pw) File "/usr/local/mailman/Mailman/MailList.py", line 488, in Create self._full_path = Site.get_listpath(name, create=1) File "/usr/local/mailman/Mailman/Site.py", line 65, in get_listpath _makedir(path) File "/usr/local/mailman/Mailman/Site.py", line 40, in _makedir os.makedirs(path, 02775) File "/usr/lib/python2.3/os.py", line 154, in makedirs mkdir(name, mode) OSError: [Errno 13] Permission denied: '/usr/local/mailman/lists/jtest11'
Jana Nguyen sent the message below at 10:39 5/30/2006:
I am running other applications that needs to invoke mailman to create a new list and add a member to the list by calling "newlist" and "add_memebers" as user "tomcat".
I have mailman setup with ownership "root" and group "mailman". So how do I make mailman scripts "newlist" and "add_members" so it can be run as user tomcat? Although the permissions on these scripts are 755 it doesn't allow other user beside root to create a new list or add a member to the list. ---------------- End original message. ---------------------
First thing I will point out is that running anything as root is a bad idea unless you absolutely need root access. I would suggest creating a user named mailman with no shell access and using that as the owner instead. This is a pretty important thing for security, root access can have very serious implications and may allow an attacker to gain control of your server.
The real problem you are having here is tied to the permissions on the list directory you are trying to access. This being the critical information in the trace back:
OSError: [Errno 13] Permission denied: '/usr/local/mailman/lists/jtest11'
In order to get things to work the way you want, the user tomcat must be made a member of the mailman group. All of the scripts should be configured as set_gid, and the list configuration files and associated directories should be group writable. If they aren't, you should run bin/fix_perms -f to configure the permissions correctly.
But before you do that, I would very seriously recommend that you rebuild and reinstall your mailman installation so it is not owned by root before somebody trashes your machine.
Dragon
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
Dragon wrote:
Jana Nguyen sent the message below at 10:39 5/30/2006:
I am running other applications that needs to invoke mailman to create a new list and add a member to the list by calling "newlist" and "add_memebers" as user "tomcat".
I have mailman setup with ownership "root" and group "mailman". So how do I make mailman scripts "newlist" and "add_members" so it can be run as user tomcat? Although the permissions on these scripts are 755 it doesn't allow other user beside root to create a new list or add a member to the list.
---------------- End original message. ---------------------
First thing I will point out is that running anything as root is a bad idea unless you absolutely need root access. I would suggest creating a user named mailman with no shell access and using that as the owner instead. This is a pretty important thing for security, root access can have very serious implications and may allow an attacker to gain control of your server.
The real problem you are having here is tied to the permissions on the list directory you are trying to access. This being the critical information in the trace back:
OSError: [Errno 13] Permission denied: '/usr/local/mailman/lists/jtest11'
In order to get things to work the way you want, the user tomcat must be made a member of the mailman group.
I added user tomcat to mailman group in /etc/group
All of the scripts should be configured as set_gid,
How can I configure the scripts as set_gid? This does not seem to be on the list of configuration options which mailman doc described.
and the list configuration files and associated directories should be group writable. If they aren't, you should run bin/fix_perms -f to configure the permissions correctly.
I don't have bin/fix_perms script. I'm running mailman 2.1. So I manually chmod 775 to lists dir.
Thanks!
But before you do that, I would very seriously recommend that you rebuild and reinstall your mailman installation so it is not owned by root before somebody trashes your machine.
Dragon
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
Jana Nguyen sent the message below at 13:16 5/30/2006:
I added user tomcat to mailman group in /etc/group
OK. That's a good thing and once the permissions are set right, things will work. See below...
How can I configure the scripts as set_gid? This does not seem to be on the list of configuration options which mailman doc described.
This is taken care of via a mailman script... see below.
I don't have bin/fix_perms script. I'm running mailman 2.1. So I manually chmod 775 to lists dir.
My apologies, I got the name wrong. It is the bin/check_perms script. This script will be located in the bin directory under the installation directory where mailman resides. As an example, on my system mailman lives in the /usr/local/mailman directory.
Use the -f option of check_perms to fix things that are not correct. This should have been done as part of the installation of the mailman distribution, it is one of the steps detailed in the installation process after doing "make install".
You do really want to use the check_perms script just in case something is amiss elsewhere. It is designed to make sure that all files and directories in your mailman installation have the correct permissions and owner/group assigned.
Dragon
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
Dragon wrote:
Jana Nguyen sent the message below at 13:16 5/30/2006:
I added user tomcat to mailman group in /etc/group
OK. That's a good thing and once the permissions are set right, things will work. See below...
How can I configure the scripts as set_gid? This does not seem to be on the list of configuration options which mailman doc described.
This is taken care of via a mailman script... see below.
The bin/* scripts are NOT setgid and 'bin/check_perms -f' will not make them setgid. This is generally a good thing because in general you don't want anyone who happens to have access to the box to be able to run the bin/* scripts. They should only be runnable by a user in the mailman group or root.
In Jana's case, adding 'tomcat' to the mailman group should allow 'tomcat' to successfully run the scripts.
-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro sent the message below at 15:50 5/30/2006:
The bin/* scripts are NOT setgid and 'bin/check_perms -f' will not make them setgid. This is generally a good thing because in general you don't want anyone who happens to have access to the box to be able to run the bin/* scripts. They should only be runnable by a user in the mailman group or root.
In Jana's case, adding 'tomcat' to the mailman group should allow 'tomcat' to successfully run the scripts. ---------------- End original message. ---------------------
My mistake, I was thinking it worked differently than it does. However, she e-mailed me a while ago to let me know that adding the user to the mailman group and running the check_perms script fixed her problem.
So even though I was a bit mixed up there about the details, she did get to where she needed to be.
Dragon
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
participants (3)
-
Dragon -
Jana Nguyen -
Mark Sapiro