[Mailman-Users] config.pck, apache, permissions and Errno 13

John Dennis jdennis at redhat.com
Wed Sep 14 20:51:45 CEST 2005 

On Wed, 2005-09-14 at 19:46 +0200, Sam Gamgee wrote:
> yes yes yes. I know that.
> but the results are not permanent. My problem is trying to find out why.
> 

I'm trying to tell you why :-) Below are the cgi wrappers on my system
as a reference point, adjust the path for your installation. The key
thing to note here is the wrapper (anything in the mailman/cgi-bin
directory) has two critical properties

1) it is in the group mailman
2) it is setgid (the s flag in the group execute field)

What this means is when some entity (e.g. your web server, apache) runs
one of this cgi-bin programs the OS will note the files is setgid and
then run the program as the group the program file belongs to (e.g.
mailman). Without setgid sticky bit the OS will run the program as the
group belonging to the entity that invoked it (in this case apache)
which appears from your description as to what is happening, the group
ownerships are getting changed to apache's group.

To further expand on what is happening: when one of these cgi-bin
wrappers is called the very first thing it does is ask the following
question "Who called me?" If they are not in a group I trust I refuse to
execute because I only work on behest of a select set of trusted groups.
For the cgi-bin wrappers that set of groups is the set of groups
belonging to your web server and what is set via --with-cgi-gid. If the
entity that invoked the wrapper is not in the set of trusted groups you
get a group mismatch error and the wrapper exits. If the trust test
passes the wrapper continues to execute in the group mailman (because
the wrapper's file has the setgid sticky bit set and belongs to the
group mailman). If either the setgid sticky bit is not set -or- the
wrappers file is not group mailman you're going to get the type of
permission problems you're seeing.

FWIW, the description applies to the mail wrapper and the MTA, just
change the names ;-)

% ls -l /usr/lib/mailman/cgi-bin/
total 264
-rwxr-sr-x  1 root mailman 18345 Mar  7  2005 admin
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 admindb
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 confirm
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 create
-rwxr-sr-x  1 root mailman 18353 Mar  7  2005 edithtml
-rwxr-sr-x  1 root mailman 18353 Mar  7  2005 listinfo
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 options
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 private
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 rmlist
-rwxr-sr-x  1 root mailman 18349 Mar  7  2005 roster
-rwxr-sr-x  1 root mailman 18353 Mar  7  2005 subscribe


-- 
John Dennis <jdennis at redhat.com>

More information about the Mailman-Users mailing list