cgi wrappers not properly executing
Hi. I am using mailman 2.1.23 on a gentoo system. I run in to the following problem:
When I try to do anything on the web, I get permission denied error on /var/lib/mailman/logs/error . If I then make that file world read/write, I get permission denied error on config.pck of the list I am trying to access.
Now, everything under /var/lib/mailman is owned by mailman.mailman and the cgi wrappers are all like the following: -rwxr-sr-x 1 mailman mailman 10512 Nov 16 12:45 /usr/lib/mailman/cgi-bin/admin
Check_perms says no problems.
I am using apache 2.4.23 and here is what loads with mailman ScriptAlias /mailman/ "/usr/lib/mailman/cgi-bin/"
Alias /pipermail/ "/var/lib/mailman/archives/public/"
</VirtualHost>
Any assistance will be greatly appreciated.
-- Your life is like a penny. You're going to lose it. The question is: How do you spend it?
John Covici
covici@ccs.covici.com
On 12/15/2016 10:48 PM, John Covici wrote:
When I try to do anything on the web, I get permission denied error on /var/lib/mailman/logs/error . If I then make that file world read/write, I get permission denied error on config.pck of the list I am trying to access.
Now, everything under /var/lib/mailman is owned by mailman.mailman and the cgi wrappers are all like the following: -rwxr-sr-x 1 mailman mailman 10512 Nov 16 12:45 /usr/lib/mailman/cgi-bin/admin
Probably the file system containing /usr/lib/mailman/cgi-bin/ is mounted with the 'nosuid' option so the SETGID bit on the wrapper is not effective.
You could work around this by changing the ownership of everything to webuser:mailman where webuser is the user the web server runs the CGIs as, but better to mount the filsystem suid.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 16 Dec 2016 11:10:00 -0500, Mark Sapiro wrote:
On 12/15/2016 10:48 PM, John Covici wrote:
When I try to do anything on the web, I get permission denied error on /var/lib/mailman/logs/error . If I then make that file world read/write, I get permission denied error on config.pck of the list I am trying to access.
Now, everything under /var/lib/mailman is owned by mailman.mailman and the cgi wrappers are all like the following: -rwxr-sr-x 1 mailman mailman 10512 Nov 16 12:45 /usr/lib/mailman/cgi-bin/admin
Probably the file system containing /usr/lib/mailman/cgi-bin/ is mounted with the 'nosuid' option so the SETGID bit on the wrapper is not effective.
You could work around this by changing the ownership of everything to webuser:mailman where webuser is the user the web server runs the CGIs as, but better to mount the filsystem suid.
hmmm, the file system is mounted normally like this: rpool/usr on /usr type zfs (rw,relatime,xattr,noacl) and I verified that its capable of setting the bit according to its properties.
-- Your life is like a penny. You're going to lose it. The question is: How do you spend it?
John Covici
covici@ccs.covici.com
On 12/16/2016 09:20 AM, John Covici wrote:
hmmm, the file system is mounted normally like this: rpool/usr on /usr type zfs (rw,relatime,xattr,noacl) and I verified that its capable of setting the bit according to its properties.
Then the CGIs are running as effective group mailman which should have permission.
Is this a SELinux or other security manager issue? see https://wiki.list.org/x/17891944
Is anything written to mailman's error log after you made it world writable?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 16 Dec 2016 13:04:50 -0500, Mark Sapiro wrote:
On 12/16/2016 09:20 AM, John Covici wrote:
hmmm, the file system is mounted normally like this: rpool/usr on /usr type zfs (rw,relatime,xattr,noacl) and I verified that its capable of setting the bit according to its properties.
Then the CGIs are running as effective group mailman which should have permission.
Is this a SELinux or other security manager issue? see https://wiki.list.org/x/17891944
Is anything written to mailman's error log after you made it world writable?
When I did that, I got permission errors on the config.pck of the list since I was doing http://lists.ccs.covici.com/mailman/admin/<likst> so the only way I was able to proceed was to either make the whole tree rw, or make it owned by apache, but I was hoping for a better solution. I wonder if there is some apache config I have wrong which is making the cgi's not execut properly?
-- Your life is like a penny. You're going to lose it. The question is: How do you spend it?
John Covici
covici@ccs.covici.com
On 12/16/2016 11:17 AM, John Covici wrote:
On Fri, 16 Dec 2016 13:04:50 -0500, Mark Sapiro wrote:
Is anything written to mailman's error log after you made it world writable?
When I did that, I got permission errors on the config.pck of the list since I was doing http://lists.ccs.covici.com/mailman/admin/<likst>
I understand that you said that. I am curious if anything was written to Mailman's error log and if so, what?
so the only way I was able to proceed was to either make the whole tree rw, or make it owned by apache, but I was hoping for a better solution. I wonder if there is some apache config I have wrong which is making the cgi's not execut properly?
Making the whole tree owned by apache is a workaround, and I understand you want it to work as it should, so let's keep trying.
Do you have any security manager such as SELinux enabled? If so, try disabling it and see if that helps.
There is also a mail wrapper, probably /usr/lib/mailman/mail/mailman. It is also group mailman and SETGID and is used by the MTA's aliases to pipe mail to Mailman. It's tricky because depending on your MTA and how it executes a pipe for local delivery, it may already be running the pipe as group mailman, but if not, the SETGID functionality is required for it to work.
So the first question is how is the MTA delivering to Mailman? E.g. if it is Postfix and Mailman's aliases are in an alias.db file owned by mailman, the SETGID isn't needed and successful mail delivery doesn't prove it works for this, but otherwise successful mail delivery may prove SETGID works for this file and the question becomes what is different about Apache and the CGIs.
As far as Apache is concerned, All I'm aware of is suEXEC. If you have suEXEC enabled, see https://httpd.apache.org/docs/current/suexec.html, but as far as I know, suEXEC won't interfere with SETGID on the mailman CGI wrappers; a suEXEC problem will just prevent the CGI wrapper from being run at all.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
John Covici
-
Mark Sapiro