Archive access Forbidden
Thank you in advance for replies. The list is now working fine however access to the archive is blocked : From: http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce
On line: To see collection of prior postings to the list, visit the clicking link for> bps_comps_print_announce Archives
goes to: http://www.vizion2000.net/pipermail/bps_comps_print_announce/
with result: Forbidden You don't have permission to access/pipermail/bps_comps_print_announce/ on this server
Attempt to view archives from Topic Section of the mailing list administration page using link for> Go to list archives also fails
Extract from httpd-error.log [Tue Dec 29 12:50:12 2009] [error] [client 62.49.197.51] attempt to invoke directory as script: /usr/local/mailman/cgi-bin/ [Tue Dec 29 12:50:47 2009] [error] [client 62.49.197.51] Symbolic link not allowed or link target not accessible: /usr/local/mailman/archives/public/bps_comps_print_announce, referer: http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce
Extract from httpd.conf ScriptAlias /mailman "/usr/local/mailman/cgi-bin" <Directory "/usr/local/mailman"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /pipermail "/usr/local/mailman/archives/public" <Directory "/usr/local/mailman/archives/public"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off </Directory>
dns1# pwd
/usr/local/mailman
dns1# ls -l
total 36
drwxrwsr-x 11 mailman mailman 2048 Dec 29 09:03 Mailman
drwxrwsr-x 4 www www 512 Dec 28 13:07 archives
drwxrwsr-x 2 root mailman 1024 Dec 28 13:07 bin
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cgi-bin
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cron
drwxrwsr-x 2 mailman mailman 512 Dec 28 15:54 data
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 icons
drwxrwsr-x 6 mailman mailman 512 Dec 28 15:45 lists
drwxrwsr-x 2 root mailman 512 Dec 29 14:00 locks
drwxrwsr-x 2 mailman mailman 512 Dec 29 09:04 logs
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 mail
drwxrwsr-x 37 root mailman 512 Dec 28 13:07 messages
drwxrwsr-x 5 root mailman 512 Dec 28 13:07 pythonlib
drwxrwsr-x 11 mailman mailman 512 Dec 28 15:54 qfiles
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 scripts
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 spam
drwxrwsr-x 38 root mailman 512 Dec 28 13:07 templates
drwxrwsr-x 4 root mailman 512 Dec 28 13:07 tests
dns1# cd archives
dns1# ls -l
total 4
drwxrws--- 10 www www 512 Dec 28 15:45 private
drwxrwsr-x 2 www www 512 Dec 28 15:46 public
dns1# cd private
dns1# ls -l
total 16
drwxrwsr-x 2 www www 512 Dec 19 17:58 bps_comp_print_chat
drwxrwsr-x 2 www www 512 Dec 19 17:58 bps_comp_print_chat.mbox
drwxrwsr-x 2 www www 512 Dec 19 17:57 bps_comp_print_reminders
drwxrwsr-x 2 www www 512 Dec 19 17:57 bps_comp_print_reminders.mbox
drwxrwsr-x 4 www www 512 Dec 29 03:27 bps_comps_print_announce
drwxrwsr-x 2 www www 512 Dec 28 15:54 bps_comps_print_announce.mbox
drwxrwsr-x 2 www www 512 Dec 28 15:45 mailman
drwxrwsr-x 2 www www 512 Dec 28 15:45 mailman.mbox
dns1# cd ../public
dns1# ls -l
total 0
lrwxr-xr-x 1 www www 55 Dec 19 17:58 bps_comp_print_chat ->
/usr/local/mailman/archives/private/bps_comp_print_chat
lrwxr-xr-x 1 www www 60 Dec 19 17:57 bps_comp_print_reminders ->
/usr/local/mailman/archives/private/bps_comp_print_reminders
lrwxr-xr-x 1 www www 60 Dec 19 17:56 bps_comps_print_announce ->
/usr/local/mailman/archives/private/bps_comps_print_announce
dns1# cd /usr/local/mailman/archives/private/bps_comps_print_announce
dns1# ls -l
total 14
drwxrwsr-x 2 www www 512 Dec 28 15:54 2009-December
-rw-rw-r-- 1 www www 2870 Dec 28 15:54 2009-December.txt
-rw-rw-r-- 1 www www 1356 Dec 29 03:27 2009-December.txt.gz
drwxrws--- 2 www www 512 Dec 28 15:54 database
-rw-rw-r-- 1 www www 1110 Dec 28 15:54 index.html
-rw-rw---- 1 www www 870 Dec 28 15:54 pipermail.pck
dns1#
Thanks in advance
David Southwell wrote:
Thank you in advance for replies. The list is now working fine however access to the archive is blocked [...] dns1# pwd
/usr/local/mailman
dns1# ls -l
total 36
drwxrwsr-x 11 mailman mailman 2048 Dec 29 09:03 Mailman drwxrwsr-x 4 www www 512 Dec 28 13:07 archives
This and everything subordinate to it needs to be group mailman.
drwxrwsr-x 2 root mailman 1024 Dec 28 13:07 bin
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cgi-bin drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cron drwxrwsr-x 2 mailman mailman 512 Dec 28 15:54 data drwxrwsr-x 2 root mailman 512 Dec 28 13:07 icons drwxrwsr-x 6 mailman mailman 512 Dec 28 15:45 lists drwxrwsr-x 2 root mailman 512 Dec 29 14:00 locks drwxrwsr-x 2 mailman mailman 512 Dec 29 09:04 logs drwxrwsr-x 2 root mailman 512 Dec 28 13:07 mail drwxrwsr-x 37 root mailman 512 Dec 28 13:07 messages drwxrwsr-x 5 root mailman 512 Dec 28 13:07 pythonlib drwxrwsr-x 11 mailman mailman 512 Dec 28 15:54 qfiles drwxrwsr-x 2 root mailman 512 Dec 28 13:07 scripts drwxrwsr-x 2 root mailman 512 Dec 28 13:07 spam drwxrwsr-x 38 root mailman 512 Dec 28 13:07 templates drwxrwsr-x 4 root mailman 512 Dec 28 13:07 tests dns1# cd archives dns1# ls -l total 4 drwxrws--- 10 www www 512 Dec 28 15:45 private
The owner of archives/private needs to be the user the web server runs as. I would think that would be 'www', but then I don't understand why public archive access doesn't work.
See <http://www.list.org/mailman-install/node9.html> for info on archives/private. Normally, it is o+x, but if not, it needs to be owned by the web server user but still group mailman.
check_perms should fix a lot of this, but you may also need to do
chggrp -R mailman /usr/local/mailman/archives/
and possibly
for d in find /usr/local/mailman/archives/ -type d -print
; do
chmod g+s $d
done
With the ownership and permissions you have here, Mailman shouldn't be able to even store anything in the archives.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----Original Message----- From: mailman-users-bounces+s.watkins=nhm.ac.uk@python.org [mailto:mailman-users-bounces+s.watkins=nhm.ac.uk@python.org] On Behalf Of David Southwell Sent: 29 December 2009 15:04 To: mailman-users@python.org Subject: [Mailman-Users] Archive access Forbidden
with result: Forbidden You don't have permission to access/pipermail/bps_comps_print_announce/ on this server
Attempt to view archives from Topic Section of the mailing list administration page using link for> Go to list archives also fails
Extract from httpd-error.log [Tue Dec 29 12:50:12 2009] [error] [client 62.49.197.51] attempt to invoke directory as script: /usr/local/mailman/cgi-bin/ [Tue Dec 29 12:50:47 2009] [error] [client 62.49.197.51] Symbolic link not allowed or link target not accessible: /usr/local/mailman/archives/public/bps_comps_print_announce, referer: http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce
Extract from httpd.conf ScriptAlias /mailman "/usr/local/mailman/cgi-bin" <Directory "/usr/local/mailman"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /pipermail "/usr/local/mailman/archives/public" <Directory "/usr/local/mailman/archives/public"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off </Directory>
Hi,
I'm guessing that the directory indexing mechanism of Apache is getting confused.
The line
ScriptAlias /pipermail "/usr/local/mailman/archives/public"
tells apache that anything with a URI starting with /pipermail is a script, so Apache will take any call to that URI as a call for an exectuable.
Looking at my local setup I see that the only indexing material in the 'archive/public' subdirectories are the file index.html.
So you have to configure Apache to look for index.html as the indexing mechanism within a "script only" directory. Something like:
<Directory "/usr/local/mailman/archives/public"> .... .... DirectoryIndex index.html </Directory>
should do the trick. Don't forget to restart Apache after adding that line.
HTH, S Watkins
Steff Watkins wrote:
I'm guessing that the directory indexing mechanism of Apache is getting confused.
The line
ScriptAlias /pipermail "/usr/local/mailman/archives/public"
tells apache that anything with a URI starting with /pipermail is a script, so Apache will take any call to that URI as a call for an exectuable.
Good catch! I missed that. It should be
Alias /pipermail "/usr/local/mailman/archives/public"
not ScriptAlias.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Steff Watkins wrote:
I'm guessing that the directory indexing mechanism of Apache is getting confused.
The line
ScriptAlias /pipermail "/usr/local/mailman/archives/public"
tells apache that anything with a URI starting with /pipermail is a script, so Apache will take any call to that URI as a call for an exectuable.
Good catch! I missed that. It should be
Alias /pipermail "/usr/local/mailman/archives/public"
not ScriptAlias.
OK guys -- thank you everyone BUT BUT
still no success I changed the entries in httpd.conf and restarted the server but still get the same result.
As a matter of curiosity I tried http://www.vizion2000.net/pipermail which simply gave me a page Index of /pipermail . Parent Directory
Following the link > Parent Directory took me to
So we know the Alias pipermail line in httpd.conf is being read but we still get no further. It seems there must be something wrong with the httpd.conf so I am reposting it as it now stands:
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory> ScriptAlias /mailman " /usr/local/mailman/cgi-bin" <Directory "/usr/local/mailman"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all </Directory> Alias /pipermail "/usr/local/mailman/archives/public" <Directory "/usr/local/mailman/archives/public/"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off DirectoryIndex index.html </Directory>
-----Original Message----- From: David Southwell [mailto:david@vizion2000.net] Sent: 29 December 2009 16:23 To: mailman-users@python.org Cc: Mark Sapiro; Steff Watkins Subject: Re: [Mailman-Users] Archive access Forbidden
OK guys -- thank you everyone BUT BUT
Alias /pipermail "/usr/local/mailman/archives/public" <Directory "/usr/local/mailman/archives/public/"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off DirectoryIndex index.html </Directory>
Errm... suggestion... tidy up! :)
AFAIK Apache doesn't allow you to just sequently "add" Options lines together. If I've read it correctly, the "Options Indexes MultiViews" would cancel the "Options FollowSymLinks ExecCGI" as it is a later instruction.. I could be wrong on that, been a while since I went grubbing around in Apache's mechanics.
My own setup for this looks like:
Alias /pipermail/ "/usr/local/mailman/archives/public/"
<Directory "/usr/local/mailman/archives/public">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
No Indexes, no Multiviews and definitely No ExecCGI. Something just makes me feels queasy about making a web archive of a public mailing list in a way that it might be possible to have someone include a script in the mail that may have an ever so slight chance of executing. You're not running SSIs, are you?
Really, make life as easy as possible for yourself. K.I.S.S... Kiss It Simple, Sunshine! As simple as you can possibly get away with.
One other problem with this is that we only see the "relevent" part of the httpd.conf file. I am not knocking you for that, security minded people work on the idea of least-disclosed the better. Problem is that there may be a directive in some other part of the httpd.conf file which totally banjaxs your mailman setup.
Are you in a position to run a test instance of the webserver, say on something like port 8080 with a totally plain-vanilla stock httpd.conf file? You could then inject the mailman configuration into that and see what is needed to make it work. If you then inject those changes into your standard (port 80) httpd.conf and they still fail, you would at least know that there was some directive in the original webserver setup that was playing havok with your mailman setup.
Regards, S Watkins
Steff Watkins wrote:
From: David Southwell [mailto:david@vizion2000.net]=20
OK guys -- thank you everyone BUT BUT
Alias /pipermail "/usr/local/mailman/archives/public" <Directory "/usr/local/mailman/archives/public/"> Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off DirectoryIndex index.html </Directory>
Errm... suggestion... tidy up! :)
AFAIK Apache doesn't allow you to just sequently "add" Options lines together. If I've read it correctly, the "Options Indexes MultiViews" would cancel the "Options FollowSymLinks ExecCGI" as it is a later instruction.. I could be wrong on that, been a while since I went grubbing around in Apache's mechanics.
That is correct. You can add options with a + as in
Options FollowSymLinks ExecCGI Options +Indexes +MultiViews
but without + to add or - to take away, The options will replace any prior options.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
David Southwell
-
Mark Sapiro
-
Steff Watkins