command listinfo not in docroot (10005)
After installing mailman (with yum), I get an error when attempting to access the listinfo page:
"Internal Server Error"
Inspecting the logs in httpd, I see this in suexec-log:
command listinfo not in docroot (10005)
I do NOT have the option of disabling suexec.
After considerable time spent looking into this, it seems that I need to have mailman installed under "DocumentRoot", which on my host appears to be /var/www/html
Further reading indicates that i cannot use the "installroot" option on yum to change the installation root directory, UNLESS I've created my own custom RPM. That rules that out.
So now, I'm resorting to 100% manual installation...
My questions are:
Am I taking the right approach in solving this problem? That is, by installing under docroot, will it address the Apache suexec problem we're seeing?
If docroot is /var/www/html, do i create the mailman directory *directly* beneath the /var/www.html folder? i.e. - /var/www.html/mailman (that just doesn't seem right...?)
Is there some other way to solve this problem? (Very difficult package to get installed and running, unless your a huge linux/mailman guru, I guess...)
Thanks,
- da
More info on this:
I added a symlink under "DocumentRoot" (which is specified as /var/www/html on my system), so the link is "/var/www/html/*mailman-cgi-bin*" , and added a ScriptAlias in httpd.conf to point there:
ScriptAlias /*mailman*/ "/var/www/html/*mailman-cgi-bin*/"
After adding the alias, I restarted apache: "apachectl restart"
Still no luck.
When I attempt to access the ~/*mailman*/listinfo page, I still get the "InternalAccessError" and this line in suexec_log:
"command listinfo not in docroot (10005)"
What could I being doing wrong here?
On Sat, Nov 28, 2015 at 11:30 AM, Dave Arndt dave@3rdvalve.net wrote:
After installing mailman (with yum), I get an error when attempting to access the listinfo page:
"Internal Server Error"
Inspecting the logs in httpd, I see this in suexec-log:
command listinfo not in docroot (10005)
I do NOT have the option of disabling suexec.
After considerable time spent looking into this, it seems that I need to have mailman installed under "DocumentRoot", which on my host appears to be /var/www/html
Further reading indicates that i cannot use the "installroot" option on yum to change the installation root directory, UNLESS I've created my own custom RPM. That rules that out.
So now, I'm resorting to 100% manual installation...
My questions are:
Am I taking the right approach in solving this problem? That is, by installing under docroot, will it address the Apache suexec problem we're seeing?
If docroot is /var/www/html, do i create the mailman directory *directly* beneath the /var/www.html folder? i.e. - /var/www.html/mailman (that just doesn't seem right...?)
Is there some other way to solve this problem? (Very difficult package to get installed and running, unless your a huge linux/mailman guru, I guess...)
Thanks,
- da
PS: The symlink does indeed point to the correct mailman cgi folder:
/usr/lib/mailman/cgi-bin
/var/www.html/mailman-cgi-bin
Both of these folders have:
admin admindb confim create edithtml listinfo options private rmlist roster subscribe
On Sat, Nov 28, 2015 at 12:35 PM, Dave Arndt dave@3rdvalve.net wrote:
More info on this:
I added a symlink under "DocumentRoot" (which is specified as /var/www/html on my system), so the link is "/var/www/html/ *mailman-cgi-bin*" , and added a ScriptAlias in httpd.conf to point there:
ScriptAlias /*mailman*/ "/var/www/html/*mailman-cgi-bin*/"
After adding the alias, I restarted apache: "apachectl restart"
Still no luck.
When I attempt to access the ~/*mailman*/listinfo page, I still get the "InternalAccessError" and this line in suexec_log:
"command listinfo not in docroot (10005)"
What could I being doing wrong here?
On Sat, Nov 28, 2015 at 11:30 AM, Dave Arndt dave@3rdvalve.net wrote:
After installing mailman (with yum), I get an error when attempting to access the listinfo page:
"Internal Server Error"
Inspecting the logs in httpd, I see this in suexec-log:
command listinfo not in docroot (10005)
I do NOT have the option of disabling suexec.
After considerable time spent looking into this, it seems that I need to have mailman installed under "DocumentRoot", which on my host appears to be /var/www/html
Further reading indicates that i cannot use the "installroot" option on yum to change the installation root directory, UNLESS I've created my own custom RPM. That rules that out.
So now, I'm resorting to 100% manual installation...
My questions are:
Am I taking the right approach in solving this problem? That is, by installing under docroot, will it address the Apache suexec problem we're seeing?
If docroot is /var/www/html, do i create the mailman directory *directly* beneath the /var/www.html folder? i.e. - /var/www.html/mailman (that just doesn't seem right...?)
Is there some other way to solve this problem? (Very difficult package to get installed and running, unless your a huge linux/mailman guru, I guess...)
Thanks,
- da
On Sat, Nov 28, 2015 at 12:43 PM, Laura Creighton lac@openend.se wrote:
selinux
Running "getenforce" returns "Disabled"
In a message of Sat, 28 Nov 2015 12:48:52 -0500, Dave Arndt writes:
On Sat, Nov 28, 2015 at 12:43 PM, Laura Creighton lac@openend.se wrote:
selinux
That eliminates a lot of hell. Good. I wish I could be of more help, but that much I do know.
Laura
On 11/28/2015 08:30 AM, Dave Arndt wrote:
My questions are:
- Am I taking the right approach in solving this problem? That is, by installing under docroot, will it address the Apache suexec problem we're seeing?
Maybe. See http://wiki.list.org/DOC/Apache%2BSuexec
- If docroot is /var/www/html, do i create the mailman directory *directly* beneath the /var/www.html folder? i.e. - /var/www.html/mailman (that just doesn't seem right...?)
The above FAQ seems to indicate that /var/www/html/mailman is correct.
Also, have you looked at all 20 steps under "suEXEC Security Model" at http://httpd.apache.org/docs/2.4/suexec.html?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro writes:
On 11/28/2015 08:30 AM, Dave Arndt wrote:
My questions are:
- Am I taking the right approach in solving this problem? That is, by installing under docroot, will it address the Apache suexec problem we're seeing?
Which docroot? suEXEC has its own docroot configured, which may be different from Apache's (or maybe not, the docs are unclear on this).
Maybe. See http://wiki.list.org/DOC/Apache%2BSuexec
- If docroot is /var/www/html, do i create the mailman directory *directly* beneath the /var/www.html folder? i.e. - /var/www.html/mailman (that just doesn't seem right...?)
As you say, that just doesn't feel right; usual security models say keep your executables out of the document tree. Whoever configured your suEXEC may have felt the same way. Also, according to the docs referenced below, --suexec-docroot defaults to $(DATADIR)/htdocs. I suspect your $(DATADIR) is indeed /var/www, and you evidently have the "root" for Apache itself set to /var/www/html, but if that value was defaulted for suEXEC, suEXEC may think --suexec-docroot=/var/www/htdocs.
You may also be running into one of the other restrictions, such as uidmin or gidmin. Eg, on my Debian system Mailman's uid = gid = 38, but in suEXEC's default, uidmin = gidmin = 100, so I'd lose. (In that case suEXEC's error log is confusing, but that kind of thing happens.)
Also, have you looked at all 20 steps under "suEXEC Security Model" at http://httpd.apache.org/docs/2.4/suexec.html?
You're right, suEXEC is very difficult software to work with. You can't blame that on Mailman, though, and if you got suEXEC from your distro, you should file a bug with them (probably on the Mailman package). If it's locally built by your Information Thuggery department, they should get the "glory".
BTW, I disagree with Mark's wording on "different security models". I would say that the two security models are the same, except for who keeps the keys to the bus. Apache expects that suEXEC will be driving, while Mailman is designed as the designated driver. (Cue "Three Stooges" schtick with Larry, Curly, and Moe all trying to get into the driver's seat simultaneously.)
participants (4)
-
Dave Arndt -
Laura Creighton -
Mark Sapiro -
Stephen J. Turnbull