[Mailman-Users] Perl CGI and permission issues

Mark Sapiro msapiro at value.net
Mon Nov 28 20:22:05 CET 2005

Xiaoyan Ma wrote:
>Can someone tell us what the permissions and owners of the 
>following files need to be set to?
>- The CGI Script being called from the web

If your web server runs this as group 'mailman', that would probably
suffice, but see below.

>- newlist
>- config_list
>Right now when we try and call newlist from the CGI script, we get a permissions error.

The scripts in the bin/ directory are not SETGID. This is intentional.
You don't want anyone who happens to have shell access to your box to
be able to create and configure lists. Thus the scripts have to be run
by some user who can create and update files in the mailman hierarchy
- the lists/ directory in particular in this case. Usually, this is
root or the mailman user.

If you make newlist and config_list SETGID, that might suffice, but I
suggest you also remove the world r and x permissions. E.g.

chmod 2750 newlist

Then you still have the problem that you have to run the script as
either the owner or group of the file, but you could change the owner
to the user that the CGI script runs as.

Alternatively, you could leave the bin/ scripts alone and make the CGI
script group mailman and SETGID.

Whatever you do, you'll probably wind up with a situation where you
have to insure that no one who isn't authorized to update mailman has
shell access to the box, unless you set the web server to run the CGI
as group mailman.

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list