Hello list, I have setup a mailman environment to be able to manage multiple domains. For each domain there's running a seperate mailman instance. I'm compiling mailman with the following parameters: DOMAIN=$1 MAILMANROOT="/usr/local/mailman/${DOMAIN}" USERNAME="mailman-${DOMAIN}" ./configure --prefix=${MAILMANROOT} --with-var-prefix=${MAILMANROOT} --with-mailhost=${DOMAIN} --with-urlhost=lists.${DOMAIN} --with-username="${USERNAME}" --with-groupname="${USERNAME}" --with-mail-gid=${USERNAME} There are some scripts around each mailman instance which are generated to fit on each several instance, i.e. the init script /etc/init.d/mailman-${DOMAIN} ${MAILMANROOT} is owned by mailman-${DOMAIN}:nobody and user and group writable. The webserver (httpd.itk) is running with user mailman-${DOMAIN} and group nobody, so this should fit. When I try to create a new mailinglist I hit the page which says: "Bug in Mailman version 2.1.14". When I have a look at the error log of this mailman instance I can see this error: Sep 30 12:10:36 2012 (8424) command failed: /usr/sbin/postalias /usr/local/mailman/zaubert.net/data/aliases (status: 1, Operation not permitted) Sep 30 12:10:36 2012 admin(8424): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ admin(8424): [----- Mailman Version: 2.1.14 -----] admin(8424): [----- Traceback ------] admin(8424): Traceback (most recent call last): admin(8424): File "/usr/local/mailman/zaubert.net/scripts/driver", line 112, in run_main admin(8424): main() admin(8424): File "/usr/local/mailman/zaubert.net/Mailman/Cgi/create.py", line 56, in main admin(8424): process_request(doc, cgidata) admin(8424): File "/usr/local/mailman/zaubert.net/Mailman/Cgi/create.py", line 239, in process_request admin(8424): sys.modules[modname].create(mlist, cgi=1) admin(8424): File "/usr/local/mailman/zaubert.net/Mailman/MTA/Postfix.py", line 238, in create admin(8424): _update_maps() admin(8424): File "/usr/local/mailman/zaubert.net/Mailman/MTA/Postfix.py", line 53, in _update_maps admin(8424): raise RuntimeError, msg % (acmd, status, errstr) admin(8424): RuntimeError: command failed: /usr/sbin/postalias /usr/local/mailman/zaubert.net/data/aliases (status: 1, Operation not permitted) admin(8424): [----- Python Information -----] admin(8424): sys.version = 2.6.6 (r266:84292, Sep 11 2012, 08:34:23) [GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] admin(8424): sys.executable = /usr/bin/python admin(8424): sys.prefix = /usr admin(8424): sys.exec_prefix = /usr admin(8424): sys.path = ['/usr/local/mailman/zaubert.net/pythonlib', '/usr/local/mailman/zaubert.net', '/usr/local/mailman/zaubert.net/scripts', '/usr/local/mailman/zaubert.net', '/usr/lib64/python26.zip', '/usr/lib64/python2.6/', '/usr/lib64/python2.6/plat-linux2', '/usr/lib64/python2.6/lib-tk', '/usr/lib64/python2.6/lib-old', '/usr/lib64/python2.6/lib-dynload', '/usr/lib/python2.6/site-packages'] admin(8424): sys.platform = linux2 Can you tell me with which user this command gets executed? I had a look at the aliases file: -rw-rw----. 1 mailman-zaubert.net nobody 2159 30. Sep 13:33 aliases -rw-r-----. 1 mailman-zaubert.net nobody 49152 30. Sep 13:33 aliases.db I looked at the audit.log, because SELinux is enabled, but it's empty. When I try to execute the command on the command line this works perfectly without errors: su mailman-zaubert.net -c "/usr/sbin/postalias /usr/local/mailman/zaubert.net/data/aliases" --shell=/bin/bash It would be great to get any help on that. cheers Andi
Andreas Nitsche wrote:
Can you tell me with which user this command gets executed? I had a look at the aliases file:
-rw-rw----. 1 mailman-zaubert.net nobody 2159 30. Sep 13:33 aliases -rw-r-----. 1 mailman-zaubert.net nobody 49152 30. Sep 13:33 aliases.db
These ownerships and permissions are wrong. Both files should be have group = Mailman's group for this instance (mailman-zaubert.net?), not group nobody, and aliases.db should be group writable.
The owner of aliases.db must also be Mailman's group for this instance as it appears to be. The owner of aliases is immaterial. Usually is is the user who last created a list with newlist or the web server user.
I don't know how these files got the ownership and permissions they have, but I think this is the issue.
To answer your specigik question, the web create process runs with user = the web server user and group = Mailman's group for that instance.
I looked at the audit.log, because SELinux is enabled, but it's empty.
Once you fix the above, you may run into SELinux issues, but the above needs to be fixed first.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hello Mark,
thanks for your answer. I didn't see any SELinux issues, therefore I didn't thought it would be a SELinux issue. But since I turned off SELinux everything works fine with exactly this permissions. The thing is: while I have a setup for several domains and each of them has their own mailman instance I need to seperate the users. So the user for the domain zaubert.net is called mailman-zaubert.net. I compiled mailman with these settings. Even the webserver is running with this user.
greetings Andi
Am 01.10.12 22:00, schrieb Mark Sapiro:
Andreas Nitsche wrote:
Can you tell me with which user this command gets executed? I had a look at the aliases file:
-rw-rw----. 1 mailman-zaubert.net nobody 2159 30. Sep 13:33 aliases -rw-r-----. 1 mailman-zaubert.net nobody 49152 30. Sep 13:33 aliases.db
These ownerships and permissions are wrong. Both files should be have group = Mailman's group for this instance (mailman-zaubert.net?), not group nobody, and aliases.db should be group writable.
The owner of aliases.db must also be Mailman's group for this instance as it appears to be. The owner of aliases is immaterial. Usually is is the user who last created a list with newlist or the web server user.
I don't know how these files got the ownership and permissions they have, but I think this is the issue.
To answer your specigik question, the web create process runs with user = the web server user and group = Mailman's group for that instance.
I looked at the audit.log, because SELinux is enabled, but it's empty.
Once you fix the above, you may run into SELinux issues, but the above needs to be fixed first.
On 10/2/2012 12:07 AM, Andreas Nitsche wrote:
Hello Mark,
But since I turned off SELinux everything works fine with exactly this permissions. The thing is: while I have a setup for several domains and each of them has their own mailman instance I need to seperate the users. So the user for the domain zaubert.net is called mailman-zaubert.net. I compiled mailman with these settings. Even the webserver is running with this user.
It only works with the permissions you have because this instance of the web server is running as the Mailman user. It really should be controlled by group. See <http://wiki.list.org/x/tYA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Andreas Nitsche -
Mark Sapiro