[Mailman-Users] Re: suEXEC & Mailman

Kyrian kyrian at ore.org
Thu May 10 11:22:51 CEST 2001 

Tauren,
CC: list.

Yes. I did solve this problem in the end...

Because I was using suexec to run mailman's CGI's, and not running the
entire webserver as the required UID/GID, they were failing with (500?)
Server Errors, and not putting anything into the standard httpd error
log files.

The problem was that I didn't stop to think about suexec, and when I
looked in its log files (either /var/log/httpd/cgi.log or
/var/log/httpd/suexec_log), I saw the likes of the following:

[2001-04-19 22:45:50]: crit: calling user mismatch (httpd instead of
nobody)
[2001-04-19 22:45:51]: crit: calling user mismatch (httpd instead of
nobody)
[2001-04-19 22:47:12]: crit: calling user mismatch (httpd instead of
nobody)
[2001-04-19 22:47:14]: crit: calling user mismatch (httpd instead of
nobody)
[2001-05-07 16:52:02]: info: (target/actual) uid: (mailman/mailman) gid:
(mailman/mailman) cmd: listinfo
[2001-05-07 16:52:02]: error: command not in docroot
(/var/mailman/cgi-bin/listinfo)
[2001-05-07 16:54:33]: info: (target/actual) uid: (mailman/mailman) gid:
(mailman/mailman) cmd: listinfo
[2001-05-07 16:54:33]: error: directory is writable by others:
(/var/mailman/cgi-bin)
[2001-05-07 16:54:51]: info: (target/actual) uid: (mailman/mailman) gid:
(mailman/mailman) cmd: listinfo
[2001-05-07 16:54:51]: error: target uid/gid (48/48) mismatch with
directory (0/0) or program (0/48) 
[2001-05-07 16:55:08]: info: (target/actual) uid: (mailman/mailman) gid:
(mailman/mailman) cmd: listinfo

All of which require recompilation of the suexec binary, with a modified
suexec.h file to change the
restriction parameters it applies.

Anyway, to Tauren's specific idea... I don't think it's exactly possible
without having a full, custom-compiled mailman implementation, set up to
run as the same UID as the client's virtual hosts already run under.

This is because mailman insists on being run as mailman:mailman by
default, and you'd have to compile that out in order for it to work (and
of course taking account of the above suexec changes to allow all the
virtualhosts home directories to be useable for suexec-d CGI's).

All of which is quite a clumsy solution to the problem, but would work.

Alternatively, you could (although this would mean mailman still runs as
mailman:mailman, but it would work) compile up some wrapper executables
for all of the mailman CGI's which are suid to mailman:mailman, within
the virtual host for each of your clients, and put them in each client's
cgi directories.

eg. for each of the mailman CGI's, have a C program like the following:

main(){
    execl("/var/mailman/cgi-bin/listinfo", 0);
}

Compile it, and put it in your client's CGI bin, and then chmod it to
g+s and u+s, and chown to mailman:mailman.

That should get you somewhere, but it would only be one mailman
implementation, still running as mailman:mailman, but it would work with
your current suexec settings, AFAIK.

Yours,

Kev.

Tauren Mills wrote:
> 
> Hi Kyrian,
> 
> Did you ever find a solution to this problem?  I would love to run the
> mailman scripts as my customer's usernames instead of the "nobody" user.
> That's how all of their other CGI scripts are configured to run using
> suEXEC.  But because we have the User and Group settings in each virtual
> host, Mailman won't run.  I've compiled Mailman with the specific username
> that I want to run the scripts.
> 
> I'd appreciate ANY information you can provide!
> 
> Thanks,
> Tauren
> 
> ---
> 
> Hi All,
> 
> Sorry if this is a dumb question, but this is an odd one, I think.
> 
> I've got mailman configured correctly as far as I can see, but I still
> get "Internal Server Error" problems on the web interface, and the
> following in the apache error log:
> 
> [Thu Apr 19 23:54:00 2001] [error] [client 195.13.114.100] Premature end
> of script headers: /usr/share/mailman/cgi-bin/listinfo
> 
> There's nothing in the mailman errors log about this, and nothing in the
> maillog about this, except when I run the cgi's from the command line
> wrongly (they work if I su to "nobody" and run them).
> 
> Everything else seems to work fine, and I've done the following part of
> the FAQ for:
> 
> 'Q. What if I get "document contains no data" from the web server, or
> mail isn't getting delivered, or I see "Premature end of script headers"
> or "Mailman CGI error!!!"'
> 
> ie. in my vhost config for apache (because I'm using suexec for Cgi's):
> 
> <VirtualHost 195.82.99.77>
> User nobody
> Group nobody
> 
> Which removes the errors about "Wrong GID" etc error messages.
> 
> I'm using redhat's mailman-2.0beta5-1 RPM (asking for trouble, I
> know..), and I've followed the instructions for that.
> 
> For python I'm using this RPM from the python site itself:
> BeOpen-Python-2.0-1
> 
> But the problem still remains.
> 
> Is it some incompatibility between suexec and mailman? or a dumb
> permissions/config error at my end?
> 
> I'm stumped, and if anyone could help, that would be great.
> 
> Yours,
> 
> Kev.
> 
> PS. The archives for this list don't seem to be searchable? Is that a
> future plan for mailman? or?
> 
> --
> "Life is the sieve through which my anarchy strains, resolving itself
> into words"
> Kev Green, aka. Kyrian    www.ore.org                             -- Bad
> Religion

--
Kev Green, aka Kyrian.   Email: kyrian at ore.org   Web:
http://mud.ore.org/~kyrian/
"Someday you too will know my pain, and smile its blacktoothed grin,
  if the war inside my head, won't take a day off I'll be dead" --
Megadeth.

More information about the Mailman-Users mailing list