[Mailman-Users] Issues with mailman
Chris Petrik
c.petrik.sosa at gmail.com
Wed Nov 16 03:34:18 CET 2011
On 11/15/2011 5:43 PM, Mark Sapiro wrote:
> Chris Petrik wrote:
>> Now when I try to go to the admin section of the webui for the mailing I
>> get the bug page. Which is easily fixed by changing the owner from
>> mailman to www.
>>
>> I tried adding mailman to group www but that doesn't seem to work.
>
> It should work. See the FAQ at<http://wiki.list.org/x/tYA9> for more
> on this, but basically, Mailman's directories are group mailman and
> SETGID so that subordinate files are created with group mailman.
> Mailman's Cgi wrappers and mail wrapper are group mailman and SETGID
> so they run with effective group mailman. Mailman's qrunners run as
> user:group mailman:mailman.
>
> The whole thing is based on anything that is running in group mailman
> has write permission on all the mutable directories and their contents.
>
> If your OS does not allow user:group www:mailman to do certain
> operations on files owned by mailman:mailman even though the mailman
> group has write permission and likewise for group mailman:mailman on
> files owned by www:mailman, you will not be able to avoid these issues.
>
> Mailman is known to work on FreeBSD, so there must be something you can
> do to enable this.
>
> In a followup Chris added:
>
>> I recompiled mailman with the cgi_gid changed to mailman and the apache
>> config to be changed as AssignUserID mailman mailman and now I don't get
>> the bug page and all is well.
>
> This is not a good idea. It means the web server now runs as
> mailman:mailman and can access anything in Mailman's tree without
> necessarily going through the authentication in the CGIs. There may
> not be any URLs that can do this, but consider
> http://www.example.com/pipermail/../../lists for example.
>
>
>> I will continue to monitor the mailman
>> services too see if any more perm issues arise before I create
>> production mailing lists.
>>
>> I am not sure if this is the proper way to run mailman but it seems to
>> work, since the web panel is always open to issues and bug reports which
>> is awesome it is not that hard to explain to them the issue and have
>> them fix it. Seems rather obvious mailman creates files as user mailman
>> but editing the files in a web browser creates the files as the running
>> user of the web server IE: www if I am not mistaken using the itk patch
>> will allow the web server to create/edit files as the user set in the
>> AssignUSerID directive in apache.
>
> I don't know how your web server works, but the owner = www or mailman
> shouldn't matter as everything should be based on group. Possibly, the
> issue is the web server is not honoring the SETGID bit on the CGI
> wrappers.
>
So I went downstairs to fetch me some coke and it just hit me
AssignUser ID mailman www
And now the webui works
Chris
More information about the Mailman-Users
mailing list