[Mailman-Users] Everything's a bug?

[Virginia Beauregard]

On Fri, 11 Aug 2000, Jeme A Brelin wrote:

> I do have suexec enabled.  I'm a bit concerned because this makes all cgi
> run as the user that owns it (rather than the webserver user).  The
> INSTALL file specifically warns against running some things with the
> mailman GID.  Unfortunately I need suexec.  Are they incompatible?

I do not believe suEXEC and Mailman are compatible with the initial
installation of Mailman. Why?  Double check the suEXEC security model,
which outlines all the checks which are made before a CGI is allowed to
run suEXEC:

http://www.apache.org/docs/suexec.html

There are a few pitfalls I can see being definite problems:
(1) 	13.Is the directory within the Apache webspace? 
	If the request is for a regular portion of the server, is
	the requested directory within the server's document root? If the
        request is for a UserDir, is the requested directory within
	the user's document root? 
      
	When you compiled suEXEC, you gave it a "--suexec-docroot" 
	configure option.  suEXEC will only work on files within this
	hierarchy or a UserDir space.  Your Mailman installation would
	have to be inside one of these two spaces.

(2)	14.Is the directory NOT writable by anyone else? 
        We don't want to open up the directory to others; only the
	owner user may be able to alter this directories contents. 
	16.Is the target program NOT writable by anyone else? 
        We don't want to give anyone other than the owner the
	ability to change the program.

	This is fundamentally incompatible with the default Mailman
	installation:
	$ ls -ld /data/mailman/cgi-bin
	drwxrwsr-x   2 mail     mailman      4096 Aug 10 19:56 /data/mailman/cgi-bin/

(3)	17.Is the target program NOT setuid or setgid? 
        We do not want to execute programs that will then change our 
	UID/GID again.  

	Again, fundamentally incompatible with the default Mailman
	installation:
	$ ls -l /data/mailman/cgi-bin
	total 640
	-rwxr-sr-x   1 mail     mailman     30010 May 23 22:23 admin*
	-rwxr-sr-x   1 mail     mailman     30259 Aug 10 19:56 admin.cgi*
	-rwxr-sr-x   1 mail     mailman     30014 May 23 22:23 admindb*
	-rwxr-sr-x   1 mail     mailman     30263 Aug 10 19:56 admindb.cgi*
	[snip]

You are going to have to play with a whole lot of your Mailman
installation to get this working, it seems.  I would pay very close
attention to your Apache suEXEC log file (default:
{ServerROOT}/logs/suexec-log).

--
Virginia J. Beauregard                            virginia at texterity.com
UNIX Systems and Network Administrator                   Texterity, Inc.