[Mailman-Users] Everything's a bug?
virginia at texterity.com
Sat Aug 12 23:36:44 CEST 2000
On Fri, 11 Aug 2000, Jeme A Brelin wrote:
> I do have suexec enabled. I'm a bit concerned because this makes all cgi
> run as the user that owns it (rather than the webserver user). The
> INSTALL file specifically warns against running some things with the
> mailman GID. Unfortunately I need suexec. Are they incompatible?
I do not believe suEXEC and Mailman are compatible with the initial
installation of Mailman. Why? Double check the suEXEC security model,
which outlines all the checks which are made before a CGI is allowed to
There are a few pitfalls I can see being definite problems:
(1) 13.Is the directory within the Apache webspace?
If the request is for a regular portion of the server, is
the requested directory within the server's document root? If the
request is for a UserDir, is the requested directory within
the user's document root?
When you compiled suEXEC, you gave it a "--suexec-docroot"
configure option. suEXEC will only work on files within this
hierarchy or a UserDir space. Your Mailman installation would
have to be inside one of these two spaces.
(2) 14.Is the directory NOT writable by anyone else?
We don't want to open up the directory to others; only the
owner user may be able to alter this directories contents.
16.Is the target program NOT writable by anyone else?
We don't want to give anyone other than the owner the
ability to change the program.
This is fundamentally incompatible with the default Mailman
$ ls -ld /data/mailman/cgi-bin
drwxrwsr-x 2 mail mailman 4096 Aug 10 19:56 /data/mailman/cgi-bin/
(3) 17.Is the target program NOT setuid or setgid?
We do not want to execute programs that will then change our
Again, fundamentally incompatible with the default Mailman
$ ls -l /data/mailman/cgi-bin
-rwxr-sr-x 1 mail mailman 30010 May 23 22:23 admin*
-rwxr-sr-x 1 mail mailman 30259 Aug 10 19:56 admin.cgi*
-rwxr-sr-x 1 mail mailman 30014 May 23 22:23 admindb*
-rwxr-sr-x 1 mail mailman 30263 Aug 10 19:56 admindb.cgi*
You are going to have to play with a whole lot of your Mailman
installation to get this working, it seems. I would pay very close
attention to your Apache suEXEC log file (default:
Virginia J. Beauregard virginia at texterity.com
UNIX Systems and Network Administrator Texterity, Inc.
More information about the Mailman-Users