[Mailman-Users] Archive access Forbidden

Steff Watkins s.watkins at nhm.ac.uk
Tue Dec 29 18:10:59 CET 2009

> -----Original Message-----
> From: David Southwell [mailto:david at vizion2000.net] 
> Sent: 29 December 2009 16:23
> To: mailman-users at python.org
> Cc: Mark Sapiro; Steff Watkins
> Subject: Re: [Mailman-Users] Archive access Forbidden

> OK guys -- thank you everyone BUT BUT

> Alias /pipermail "/usr/local/mailman/archives/public"
> <Directory "/usr/local/mailman/archives/public/">
>  Options FollowSymLinks ExecCGI
>        AllowOverride None
>        Order allow,deny
>           Allow from all
> Options Indexes MultiViews
>   AddDefaultCharset Off
> DirectoryIndex index.html
>     </Directory>

Errm... suggestion... tidy up! :) 

AFAIK Apache doesn't allow you to just sequently "add" Options lines
together. If I've read it correctly, the "Options Indexes MultiViews"
would cancel the "Options FollowSymLinks ExecCGI" as it is a later
instruction.. I could be wrong on that, been a while since I went
grubbing around in Apache's mechanics.

My own setup for this looks like:

    Alias /pipermail/ "/usr/local/mailman/archives/public/"

    <Directory "/usr/local/mailman/archives/public">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all

No Indexes, no Multiviews and definitely No ExecCGI. Something just
makes me feels queasy about making a web archive of a public mailing
list in a way that it might be possible to have someone include a script
in the mail that may have an ever so slight chance of executing. You're
not running SSIs, are you?

Really, make life as easy as possible for yourself. K.I.S.S... Kiss It
Simple, Sunshine! As simple as you can possibly get away with.

One other problem with this is that we only see the "relevent" part of
the httpd.conf file. I am not knocking you for that, security minded
people work on the idea of least-disclosed the better. Problem is that
there may be a directive in some other part of the httpd.conf file which
totally banjaxs your mailman setup.

Are you in a position to run a test instance of the webserver, say on
something like port 8080 with a totally plain-vanilla stock httpd.conf
file? You could then inject the mailman configuration into that and see
what is needed to make it work. If you then inject those changes into
your standard (port 80) httpd.conf and they still fail, you would at
least know that there was some directive in the original webserver setup
that was playing havok with your mailman setup.

S Watkins

More information about the Mailman-Users mailing list