[Mailman-Users] alternative to setgid
mark at msapiro.net
Tue May 5 00:44:55 CEST 2009
>I've set up a new mailman installation on a new Solaris 10 server. I am
>attempting to share out the mailman directory via NFS to another Solaris 10
>server running apache for web maintenance purposes. Theoretically, this
>should work, but I'm getting the dreaded "setuid execution not allowed"
>error on my web server when I try to go to /mailman/listinfo or
>/mailman/admin. I have determined that mailman is being NFS mounted on the
>web server with the nosuid option and I can't for the life of me figure out
>how to make it mount with the suid option set..
I don't know the answer to that, but my guess is that it will be easier
to find this answer than to work around it.
>So.. I'm wondering if there is a way around the whole setgid permission deal
>with mailman? I am not sure I really understand why it needs to be setgid
>and what would be the consequences of doing something alternative?
The CGI wrappers are SETGID because Mailman's security model is
entirely based on everything running with effective group 'mailman'
and that group having permissions.
>I were to remove the setgid bits, how would I set the permissions
>appropriately for both best security and accessibility?
You might be able to 'mount' the NFS mailman tree on the web server
with the setuid= or setgid= option on the mount command to set the
user or group of the tree to be that of the web server. That way the
web server would be able to read and write the Mailman tree, but there
probably would be issues preventing this from working.
I.e., the first thing I forsee is when the web admin interface updates
a list, there is actually a creation of a config.pck.tmp.host.pid
followed by renames of config.pck to config.pck.last and
config.pck.tmp.host.pid to config.pck. Thus, the new config.pck might
wind up with user:group of the web server rendering it unusable by the
queue runners on the "mail" machine.
Even if it worked, you would open the possibility of the web server
having access to Mailman files without going through Mailman CGIs,
thus opening security holes.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users