[Mailman-Users] Mailman under Cygwin - won't add list

[Mark Sapiro]

Ben wrote:
>
>I tried explicitly forcing permissions with 'chmod 777 config.pck', and
>that made the Admin page work.  So, the "660" permissions are the
>problem, not the owner/group.  However, when I tried the Admin page for
>the list, I got "We're sorry, we hit a bug!" again:
>
>admin(4088):   File "/usr/local/mailman/Mailman/MailList.py", line 512,
>in __save
>admin(4088):     fp = open(fname_tmp, 'w')
>admin(4088): IOError: [Errno 13] Permission denied:
>'/usr/local/mailman/lists/friends/config.pck.tmp.LittleGuy.4088'
>
>This seems to be a widespread issue with Mailman under Cygwin -
>permission don't behave as under Unix, so Mailman chokes easily.  I
>don't blame Mailman, I'm sure it's reasonable for it to expect
>permissions to behave they way they should.
>
>However, at this point I'm wondering whether the Mailman + Cygwin
>combination is workable.  The Mailman website, Manual and FAQ reasonably
>state that Mailman "does not currently work on Windows" and "some
>source-code level changes are currently necessary to get Mailman working
>under Cygwin" and "It probably does not work on Windows, although it's
>possible you could get it running on a Cygwin system."


I think the above is a fair summary of the issue. I do have *test*
mailman installs under Cygwin that work, but they are not accessable
to the outside world. I don't know if it is possible to actually run
Mailman in a secure way on a public server, because Mailman's security
is based on SETGID wrappers, and I don't think SETGID actually works
under Cygwin.


>This makes me sad, as I had high hopes, as I cannot find any real
>alternative to Mailman in the Windows world, neither free nor
>commercial.  All I wanted to do was to create a small mailing list on a
>plain XP box, but it's become a week-long ordeal ending in frustration.
>
>I'm wide open to advice, although I suspect "Get a Linux machine" is the
>likely response :(  (I do have a Linux box, but this XP box is the
>quiet, low-power always-on server machine in our office which runs our
>website with Apache wonderfully, hence that's where I must install a
>mailing list.)


Here's how you can make it work.

CAVEAT!! This will not be secure! (more below)

>From your previous posts, I think your web server runs in the
Administrators group. What are you running as a mail server? I use
Exim under Cygwin and that works well and integrates well with
Mailman. Anyway, your mail server needs to run in the Administrators
group too. Then you need to make your mailman user a member of the
Administrators group, not mm, and reconfigure Mailman with
--with-groupname, --with-cgi-gid and --with-mail-gid all equal to
Administrators. Then reinstall with 'make install' and run
'bin/check_perms -f' to make sure things are OK. You may need to
change the group of your $prefix directory to Administrators before
configure will run.

Now everything will run in the Administrators group which will have
permissions. The SETGID wrappers won't actually set group, but they
will be run in the Administrators group anyway, so things will work.

The problem is that Apache will now be able to access any Mailman files
without going through the cgi-bin wrappers, so potentially, outside
users can retrieve things like config.pck files that contain member
lists and their passwords.

You may be able to arrange the Apache config so that it is not possible
to craft a URL that would retrieve files from Mailman directly. If so,
you would be fairly safe, but I don't know much about this, so I don't
know how easy or difficult this might be.

Let us know how it works out. And if you have 'improvements' for FAQ
5.2, please give us those too.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan