Mailman 3 private and public archive directory permissions - Mailman-Users

newer
implicit destination error.

private and public archive directory permissions

older
Re: [Mailman-Users]...

Noah

July 13, 2015

12:58 a.m.

Hi there,

I migrated to a new server and I am back again with permission issues. I am running apache2 on an ubuntu 14.04 server.

is there a good tutorial out there that explains the best practices for ownership for the different directories and sub-directories

I run check_perms -f as root and some of the same directories still need correcting even after running 'check_perms -f' as root many times.

I have a list user and a mailman user and group that I moved over from my old server. Apache2 is running as www-data .

I am using mbox is that matters.

here is some config:

/var/lib/mailman/archives $ ls -l total 8.0K drwxrws--x 110 mailman 4.0K Jul 4 22:44 private/ drwxrwsr-x 2 mailman 4.0K Jun 2 2012 public/

/etc/apache2/conf-enabled $ ls -l mailman.conf lrwxrwxrwx 1 root 30 Jul 13 00:52 mailman.conf -> ../conf-available/mailman.conf

/etc/apache2/conf-enabled $ cat ../conf-available/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Order allow,deny Allow from all </Directory>

Cheers,

Noah

Show replies by date

Mark Sapiro

July 2015

1:54 a.m.

On 7/12/15 5:58 PM, Noah wrote:

...

I migrated to a new server and I am back again with permission issues. I am running apache2 on an ubuntu 14.04 server.

is there a good tutorial out there that explains the best practices for ownership for the different directories and sub-directories

Everything should be in Mailman's group ('mailman' or '_mailman' or maybe 'list' in your case) and all the directories and the cgi and mail compiled wrappers should be SETGID.

See the FAQ at <http://wiki.list.org/x/4030645>.

...

I run check_perms -f as root and some of the same directories still need correcting even after running 'check_perms -f' as root many times.

check_perms gets confused by symlinks. It checks and complains about the group and permissions of the symlink itself which are really irrelevant. When fixing, it actually fixes the target which is what you want, but next time it will complain again because it is still looking at the symlink. Bottom line is ignore the errors it reports about symlinks.

...

I have a list user and a mailman user and group that I moved over from my old server. Apache2 is running as www-data .

In your Debian/Ubuntu package, Mailman's user:group are list:list.

...

I am using mbox is that matters.

here is some config:

/var/lib/mailman/archives $ ls -l total 8.0K drwxrws--x 110 mailman 4.0K Jul 4 22:44 private/ drwxrwsr-x 2 mailman 4.0K Jun 2 2012 public/

Is 'mailman' the owner or group? Perhaps these came from another system, but for the Ubuntu package if that's what you're using, group should be 'list'.

...

/etc/apache2/conf-enabled $ ls -l mailman.conf lrwxrwxrwx 1 root 30 Jul 13 00:52 mailman.conf -> ../conf-available/mailman.conf

/etc/apache2/conf-enabled $ cat ../conf-available/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Order allow,deny Allow from all </Directory>

This looks OK.

What exactly is your problem? Is there actually something that doesn't work? If so, what?

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Noah

3:43 a.m.

Hi Mark,

Thank you for supporting mailman all these years.

Here is the error

--- snip ----

[Mon Jul 13 03:29:36.036929 2015] [authz_core:error] [pid 739] [client <ip_addr>:64962] AH01630: client denied by server configuration: /var/lib/mailman/archives/public/<list>, referer: http://<domain>/mailman/admin/<list>

--- snip ---

I think I did what was suggested in the FAQ but still getting the above error when I attempt to go to the list's archive URL

/var/lib/mailman/archives $ ls -ld drwxrwsr-x 4 list list 4096 Oct 2 2002 .

/var/lib/mailman/archives $ ls -l total 8 drwxrws--- 110 list list 4096 Jul 4 22:44 private drwxrwsr-x 2 list list 4096 Jun 2 2012 public

/var/lib/mailman/archives $ ls -l public/<list> lrwxrwxrwx 1 root list 43 Mar 9 2014 public/<list> -> /var/lib/mailman/archives/private/<list>

/var/lib/mailman/archives/private $ ls -ld <list>* drwxrwsr-x 97 list list 16384 Jul 2 10:27 <list> drwxrwsr-x 2 www-data list 4096 Nov 5 2007 <list>.mbox

-- qrunner is running as list ---

root 3847 0.0 0.1 11748 2172 pts/1 S+ 03:36 0:00 grep qrunner list 8075 0.0 0.5 55560 10348 ? S Jul12 0:12 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s list 8076 0.0 0.5 56500 11932 ? S Jul12 0:12 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s list 8077 0.0 0.5 55584 11116 ? S Jul12 0:13 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s list 8078 0.0 0.6 57212 12844 ? S Jul12 0:13 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s list 8079 0.0 0.3 54872 7408 ? S Jul12 0:12 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s list 8080 0.0 0.6 59656 13528 ? S Jul12 0:14 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s list 8081 0.0 0.5 56600 12132 ? S Jul12 0:12 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s list 8082 0.0 0.4 54848 8980 ? S Jul12 0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s

---- snip ---

Cheers,

Noah

On 7/12/15 6:54 PM, Mark Sapiro wrote:> On 7/12/15 5:58 PM, Noah wrote:

...

...
I migrated to a new server and I am back again with permission issues. I am running apache2 on an ubuntu 14.04 server.

is there a good tutorial out there that explains the best practices for ownership for the different directories and sub-directories

Everything should be in Mailman's group ('mailman' or '_mailman' or maybe 'list' in your case) and all the directories and the cgi and mail compiled wrappers should be SETGID.

See the FAQ at <http://wiki.list.org/x/4030645>.

...
I run check_perms -f as root and some of the same directories still need correcting even after running 'check_perms -f' as root many times.

check_perms gets confused by symlinks. It checks and complains about the group and permissions of the symlink itself which are really irrelevant. When fixing, it actually fixes the target which is what you want, but next time it will complain again because it is still looking at the symlink. Bottom line is ignore the errors it reports about symlinks.

...
I have a list user and a mailman user and group that I moved over from my old server. Apache2 is running as www-data .

In your Debian/Ubuntu package, Mailman's user:group are list:list.

...
I am using mbox is that matters.

here is some config:

/var/lib/mailman/archives $ ls -l total 8.0K drwxrws--x 110 mailman 4.0K Jul 4 22:44 private/ drwxrwsr-x 2 mailman 4.0K Jun 2 2012 public/

Is 'mailman' the owner or group? Perhaps these came from another system, but for the Ubuntu package if that's what you're using, group should be 'list'.

...
/etc/apache2/conf-enabled $ ls -l mailman.conf lrwxrwxrwx 1 root 30 Jul 13 00:52 mailman.conf -> ../conf-available/mailman.conf

/etc/apache2/conf-enabled $ cat ../conf-available/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Order allow,deny Allow from all </Directory>

This looks OK.

What exactly is your problem? Is there actually something that doesn't work? If so, what?

Mark Sapiro

4:04 a.m.

On 7/12/15 8:43 PM, Noah wrote:

...

If this is Apache 2.4, you need

Require all granted

instead of

Order allow,deny
Allow from all

In the Directory blocks.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Noah

6:53 a.m.

Hi there Mark,

getting the following error now. Still looks like a filesystem permissions thing.

--- snip ---

[Mon Jul 13 06:46:52.951120 2015] [core:error] [pid 7324] [client <ipaddr>:50359] AH00037: Symbolic link not allowed or link target not accessible: /var/lib/mailman/archives/public/<maillist_name>, referer: http://<hostname>/mailman/admin/<maillist_name>

--- snip ---

/etc/apache2 $ cat sites-enabled/<hostname>.conf <VirtualHost *:80> ServerAdmin webmaster@<domain.com> ServerName <hostname> ServerAlias www.<hostname> w.<hostname> ServerAlias ww.<hostname> wwww.<hostname>

     DocumentRoot /var/www

Redirect permanent /index.html http://&lt;hostname>/mailman/listinfo/

     &lt;Directory /var/lib/mailman/archives/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/

     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
     RewriteRule .* - [F]

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

&lt;Directory "/usr/share/doc/">
          Options Indexes MultiViews FollowSymLinks
     AllowOverride None
          Order deny,allow
          Deny from all
          Allow from 127.0.0.0/255.0.0.0 ::1/128
&lt;/Directory>

</VirtualHost>

/etc/apache2 $ cat conf-enabled/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Require all granted </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Require all granted </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Require all granted </Directory>

Cheers,

Noah

On 7/12/15 9:04 PM, Mark Sapiro wrote:

...

On 7/12/15 8:43 PM, Noah wrote:

...
Here is the error

--- snip ----

[Mon Jul 13 03:29:36.036929 2015] [authz_core:error] [pid 739] [client <ip_addr>:64962] AH01630: client denied by server configuration: /var/lib/mailman/archives/public/<list>, referer: http://<domain>/mailman/admin/<list>

--- snip ---

...

...
...
...
<Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> ...

If this is Apache 2.4, you need
 Require all granted
instead of
 Order allow,deny
 Allow from all
In the Directory blocks.

Noah

7:28 a.m.

New subject: private and public archive directory permissions [solved]

Hi there,

Okay I needed to have www-data own the private directory. THanks for all your assistance.

--- snip ---

/var/lib/mailman/archives/private $ chown www-data . /var/lib/mailman/archives/private $ ls -ld drwxrws--- 110 www-data list 4096 Jul 4 22:44 .

Cheers,

Noah

On 7/12/15 11:53 PM, Noah wrote:

...

Hi there Mark,

getting the following error now. Still looks like a filesystem permissions thing.

--- snip ---

[Mon Jul 13 06:46:52.951120 2015] [core:error] [pid 7324] [client <ipaddr>:50359] AH00037: Symbolic link not allowed or link target not accessible: /var/lib/mailman/archives/public/<maillist_name>, referer: http://<hostname>/mailman/admin/<maillist_name>

--- snip ---

/etc/apache2 $ cat sites-enabled/<hostname>.conf <VirtualHost *:80> ServerAdmin webmaster@<domain.com> ServerName <hostname> ServerAlias www.<hostname> w.<hostname> ServerAlias ww.<hostname> wwww.<hostname>
     DocumentRoot /var/www

 Redirect permanent /index.html http://&lt;hostname>/mailman/listinfo/

     &lt;Directory /var/lib/mailman/archives/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

 Alias /pipermail/ /var/lib/mailman/archives/public/
 Alias /images/mailman/ /usr/share/images/mailman/
 ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/

     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
     RewriteRule .* - [F]

 ErrorLog /var/log/apache2/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog /var/log/apache2/access.log combined
 ServerSignature On

 &lt;Directory "/usr/share/doc/">
          Options Indexes MultiViews FollowSymLinks
      AllowOverride None
          Order deny,allow
          Deny from all
          Allow from 127.0.0.0/255.0.0.0 ::1/128
 &lt;/Directory>
</VirtualHost>

/etc/apache2 $ cat conf-enabled/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Require all granted </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Require all granted </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Require all granted </Directory>

Cheers,

Noah

On 7/12/15 9:04 PM, Mark Sapiro wrote:

...
On 7/12/15 8:43 PM, Noah wrote:

...
Here is the error

--- snip ----

[Mon Jul 13 03:29:36.036929 2015] [authz_core:error] [pid 739] [client <ip_addr>:64962] AH01630: client denied by server configuration: /var/lib/mailman/archives/public/<list>, referer: http://<domain>/mailman/admin/<list>

--- snip ---

...

...
...
...
<Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> ...

If this is Apache 2.4, you need
 Require all granted
instead of
 Order allow,deny
 Allow from all
In the Directory blocks.
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/noah-list%40enabled.co...

Mark Sapiro

2:09 p.m.

New subject: private and public archive directory permissions [solved]

On 7/13/15 12:28 AM, Noah wrote:

...

Okay I needed to have www-data own the private directory. THanks for all your assistance.

In a prior post at <https://mail.python.org/pipermail/mailman-users/2015-July/079443.html> you posted

...

Did you subsequently remove o+x from /var/lib/mailman/archives/private? The private directory should need to be owned by the web server only if it is not world searchable.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Noah

3:19 p.m.

New subject: private and public archive directory permissions [solved]

Yes I did Mark - thanks.

$ ls -l /var/lib/mailman/archives total 8 drwxrws--- 110 www-data list 4096 Jul 4 22:44 private drwxrwsr-x 2 root list 4096 Jun 2 2012 public

On 7/13/15 7:09 AM, Mark Sapiro wrote:

...

Stephen J. Turnbull

7:29 a.m.

Noah writes:

...

This is an Apache message, not a filesystem message. I suspect you need

     &lt;Directory //mailman/admin/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

in your Apache config.

Stephen J. Turnbull

8:40 a.m.

Stephen J. Turnbull writes:

...

I suspect you need

     &lt;Directory //mailman/admin/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

Oops, that "//" in the Directory start tag should be a single "/".

Sorry!

Mark Sapiro

July 2015

1:54 a.m.

On 7/12/15 5:58 PM, Noah wrote:

...

I migrated to a new server and I am back again with permission issues. I am running apache2 on an ubuntu 14.04 server.

is there a good tutorial out there that explains the best practices for ownership for the different directories and sub-directories

Everything should be in Mailman's group ('mailman' or '_mailman' or maybe 'list' in your case) and all the directories and the cgi and mail compiled wrappers should be SETGID.

See the FAQ at <http://wiki.list.org/x/4030645>.

...

I run check_perms -f as root and some of the same directories still need correcting even after running 'check_perms -f' as root many times.

...

I have a list user and a mailman user and group that I moved over from my old server. Apache2 is running as www-data .

In your Debian/Ubuntu package, Mailman's user:group are list:list.

...

I am using mbox is that matters.

here is some config:

/var/lib/mailman/archives $ ls -l total 8.0K drwxrws--x 110 mailman 4.0K Jul 4 22:44 private/ drwxrwsr-x 2 mailman 4.0K Jun 2 2012 public/

Is 'mailman' the owner or group? Perhaps these came from another system, but for the Ubuntu package if that's what you're using, group should be 'list'.

...

/etc/apache2/conf-enabled $ ls -l mailman.conf lrwxrwxrwx 1 root 30 Jul 13 00:52 mailman.conf -> ../conf-available/mailman.conf

/etc/apache2/conf-enabled $ cat ../conf-available/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Order allow,deny Allow from all </Directory>

This looks OK.

What exactly is your problem? Is there actually something that doesn't work? If so, what?

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Noah

3:43 a.m.

Hi Mark,

Thank you for supporting mailman all these years.

Here is the error

--- snip ----

--- snip ---

I think I did what was suggested in the FAQ but still getting the above error when I attempt to go to the list's archive URL

/var/lib/mailman/archives $ ls -ld drwxrwsr-x 4 list list 4096 Oct 2 2002 .

/var/lib/mailman/archives $ ls -l total 8 drwxrws--- 110 list list 4096 Jul 4 22:44 private drwxrwsr-x 2 list list 4096 Jun 2 2012 public

/var/lib/mailman/archives $ ls -l public/<list> lrwxrwxrwx 1 root list 43 Mar 9 2014 public/<list> -> /var/lib/mailman/archives/private/<list>

/var/lib/mailman/archives/private $ ls -ld <list>* drwxrwsr-x 97 list list 16384 Jul 2 10:27 <list> drwxrwsr-x 2 www-data list 4096 Nov 5 2007 <list>.mbox

-- qrunner is running as list ---

---- snip ---

Cheers,

Noah

On 7/12/15 6:54 PM, Mark Sapiro wrote:> On 7/12/15 5:58 PM, Noah wrote:

...

...
I migrated to a new server and I am back again with permission issues. I am running apache2 on an ubuntu 14.04 server.

is there a good tutorial out there that explains the best practices for ownership for the different directories and sub-directories

Everything should be in Mailman's group ('mailman' or '_mailman' or maybe 'list' in your case) and all the directories and the cgi and mail compiled wrappers should be SETGID.

See the FAQ at <http://wiki.list.org/x/4030645>.

...
I run check_perms -f as root and some of the same directories still need correcting even after running 'check_perms -f' as root many times.

check_perms gets confused by symlinks. It checks and complains about the group and permissions of the symlink itself which are really irrelevant. When fixing, it actually fixes the target which is what you want, but next time it will complain again because it is still looking at the symlink. Bottom line is ignore the errors it reports about symlinks.

...
I have a list user and a mailman user and group that I moved over from my old server. Apache2 is running as www-data .

In your Debian/Ubuntu package, Mailman's user:group are list:list.

...
I am using mbox is that matters.

here is some config:

/var/lib/mailman/archives $ ls -l total 8.0K drwxrws--x 110 mailman 4.0K Jul 4 22:44 private/ drwxrwsr-x 2 mailman 4.0K Jun 2 2012 public/

Is 'mailman' the owner or group? Perhaps these came from another system, but for the Ubuntu package if that's what you're using, group should be 'list'.

...
/etc/apache2/conf-enabled $ ls -l mailman.conf lrwxrwxrwx 1 root 30 Jul 13 00:52 mailman.conf -> ../conf-available/mailman.conf

/etc/apache2/conf-enabled $ cat ../conf-available/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Order allow,deny Allow from all </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Order allow,deny Allow from all </Directory>

This looks OK.

What exactly is your problem? Is there actually something that doesn't work? If so, what?

Mark Sapiro

4:04 a.m.

On 7/12/15 8:43 PM, Noah wrote:

...

If this is Apache 2.4, you need

Require all granted

instead of

Order allow,deny
Allow from all

In the Directory blocks.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Noah

6:53 a.m.

Hi there Mark,

getting the following error now. Still looks like a filesystem permissions thing.

--- snip ---

     DocumentRoot /var/www

Redirect permanent /index.html http://&lt;hostname>/mailman/listinfo/

     &lt;Directory /var/lib/mailman/archives/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/

     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
     RewriteRule .* - [F]

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

&lt;Directory "/usr/share/doc/">
          Options Indexes MultiViews FollowSymLinks
     AllowOverride None
          Order deny,allow
          Deny from all
          Allow from 127.0.0.0/255.0.0.0 ::1/128
&lt;/Directory>

</VirtualHost>

/etc/apache2 $ cat conf-enabled/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Require all granted </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Require all granted </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Require all granted </Directory>

Cheers,

Noah

On 7/12/15 9:04 PM, Mark Sapiro wrote:

...

On 7/12/15 8:43 PM, Noah wrote:

...
Here is the error

--- snip ----

[Mon Jul 13 03:29:36.036929 2015] [authz_core:error] [pid 739] [client <ip_addr>:64962] AH01630: client denied by server configuration: /var/lib/mailman/archives/public/<list>, referer: http://<domain>/mailman/admin/<list>

--- snip ---

...

...
...
...
<Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> ...

If this is Apache 2.4, you need
 Require all granted
instead of
 Order allow,deny
 Allow from all
In the Directory blocks.

Noah

7:28 a.m.

New subject: private and public archive directory permissions [solved]

Hi there,

Okay I needed to have www-data own the private directory. THanks for all your assistance.

--- snip ---

/var/lib/mailman/archives/private $ chown www-data . /var/lib/mailman/archives/private $ ls -ld drwxrws--- 110 www-data list 4096 Jul 4 22:44 .

Cheers,

Noah

On 7/12/15 11:53 PM, Noah wrote:

...

Hi there Mark,

getting the following error now. Still looks like a filesystem permissions thing.

--- snip ---

[Mon Jul 13 06:46:52.951120 2015] [core:error] [pid 7324] [client <ipaddr>:50359] AH00037: Symbolic link not allowed or link target not accessible: /var/lib/mailman/archives/public/<maillist_name>, referer: http://<hostname>/mailman/admin/<maillist_name>

--- snip ---

/etc/apache2 $ cat sites-enabled/<hostname>.conf <VirtualHost *:80> ServerAdmin webmaster@<domain.com> ServerName <hostname> ServerAlias www.<hostname> w.<hostname> ServerAlias ww.<hostname> wwww.<hostname>
     DocumentRoot /var/www

 Redirect permanent /index.html http://&lt;hostname>/mailman/listinfo/

     &lt;Directory /var/lib/mailman/archives/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

 Alias /pipermail/ /var/lib/mailman/archives/public/
 Alias /images/mailman/ /usr/share/images/mailman/
 ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/

     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
     RewriteRule .* - [F]

 ErrorLog /var/log/apache2/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog /var/log/apache2/access.log combined
 ServerSignature On

 &lt;Directory "/usr/share/doc/">
          Options Indexes MultiViews FollowSymLinks
      AllowOverride None
          Order deny,allow
          Deny from all
          Allow from 127.0.0.0/255.0.0.0 ::1/128
 &lt;/Directory>
</VirtualHost>

/etc/apache2 $ cat conf-enabled/mailman.conf

Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ <Directory /usr/lib/cgi-bin/mailman/> AllowOverride None Options ExecCGI AddHandler cgi-script .cgi Require all granted </Directory> <Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Require all granted </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Require all granted </Directory>

Cheers,

Noah

On 7/12/15 9:04 PM, Mark Sapiro wrote:

...
On 7/12/15 8:43 PM, Noah wrote:

...
Here is the error

--- snip ----

[Mon Jul 13 03:29:36.036929 2015] [authz_core:error] [pid 739] [client <ip_addr>:64962] AH01630: client denied by server configuration: /var/lib/mailman/archives/public/<list>, referer: http://<domain>/mailman/admin/<list>

--- snip ---

...

...
...
...
<Directory /var/lib/mailman/archives/public/> Options Indexes FollowSymlinks AllowOverride None Order allow,deny Allow from all </Directory> ...

If this is Apache 2.4, you need
 Require all granted
instead of
 Order allow,deny
 Allow from all
In the Directory blocks.
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/noah-list%40enabled.co...

Mark Sapiro

2:09 p.m.

New subject: private and public archive directory permissions [solved]

On 7/13/15 12:28 AM, Noah wrote:

...

Okay I needed to have www-data own the private directory. THanks for all your assistance.

In a prior post at <https://mail.python.org/pipermail/mailman-users/2015-July/079443.html> you posted

...

Did you subsequently remove o+x from /var/lib/mailman/archives/private? The private directory should need to be owned by the web server only if it is not world searchable.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Noah

July 2015

3:19 p.m.

New subject: private and public archive directory permissions [solved]

Yes I did Mark - thanks.

$ ls -l /var/lib/mailman/archives total 8 drwxrws--- 110 www-data list 4096 Jul 4 22:44 private drwxrwsr-x 2 root list 4096 Jun 2 2012 public

On 7/13/15 7:09 AM, Mark Sapiro wrote:

...

Stephen J. Turnbull

7:29 a.m.

Noah writes:

...

This is an Apache message, not a filesystem message. I suspect you need

     &lt;Directory //mailman/admin/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

in your Apache config.

Stephen J. Turnbull

8:40 a.m.

Stephen J. Turnbull writes:

...

I suspect you need

     &lt;Directory //mailman/admin/>
         Options FollowSymLinks
         AllowOverride None
     &lt;/Directory>

Oops, that "//" in the Directory start tag should be a single "/".

Sorry!

3532

Age (days ago)

3532

Last active (days ago)

List overview

Download

9 comments

3 participants

participants (3)

Mark Sapiro
Noah
Stephen J. Turnbull

private and public archive directory permissions

tags

participants (3)