[Mailman-Users] chroot, OpenBSD, Apache, and Mailman

Mark Sapiro mark at msapiro.net
Sat Apr 19 05:27:20 CEST 2008 

David Newman wrote:
>
>Is there a howto for installing Mailman from source inside the Apache
>chroot on OpenBSD?


I don't think so. There are some posts in the list archives, but I
think mostly questions and maybe answers.


>I'm struggling with this, using Mailman 2.1.19, Postfix 2.4.3, and
>OpenBSD 4.2. There's a list of installation steps pasted below.


I've snipped most of that except where I have comments.


>I suspect a permissions problem. Mailman would not serve up pages when 
>all files were owned by group mailman, so I did 'chgrp -R www 
>/var/www/mailman'. But after trying to create a list, the
>aliases file is mode 660, owned by root:www.


This is probably a mistake. Mailman relies on everything being group
Mailman and the CGI and mail wrappers being group Mailman and SETGID
so everything runs as group Mailman. If the chroot jail doesn't allow
SETGID to work, then I'm not sure what you'ld need to do, but whatever
user:group structure you have, both the web server and the MTA have to
be able to write various Mailman files.



>This is the error in /var/www/mailman/logs/error that results from
>trying to create a new list:
>
>Apr 18 11:21:00 2008 admin(1925):
>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>admin(1925): [----- Mailman Version: 2.1.9 -----]
>admin(1925): [----- Traceback ------]
>admin(1925): Traceback (most recent call last):
>admin(1925):   File "/var/www/mailman/scripts/driver", line 101, in run_main
>admin(1925):     main()
>admin(1925):   File "/var/www/mailman/Mailman/Cgi/create.py", line 56,
>in main
>admin(1925):     process_request(doc, cgidata)
>admin(1925):   File "/var/www/mailman/Mailman/Cgi/create.py", line 238,
>in proce
>ss_request
>admin(1925):     sys.modules[modname].create(mlist, cgi=1)
>admin(1925):   File "/var/www/mailman/Mailman/MTA/Postfix.py", line 232,
>in crea
>te
>admin(1925):     _update_maps()
>admin(1925):   File "/var/www/mailman/Mailman/MTA/Postfix.py", line 53,
>in _upda
>te_maps
>admin(1925):     raise RuntimeError, msg % (acmd, status, errstr)
>admin(1925): RuntimeError: command failed: /usr/local/sbin/postalias
>/var/www/mailman/data/aliases (status: 1, Operation not permitted)
>
>I've also tried putting postalias inside the chroot jail but the error
>above persists.


postalias has to be able to read data/aliases and write data/aliases.db
when running as the group of the web server unless the SETGID on the
cgi-bin/create wrapper works.


>Also, it says to set:
>
>recipient_delimiter = +
>
>even though the current setting is:
>
>recipient_delimiter = -
>
>I'm not making this change for now, and sticking with the '-' setting.


This will cause problems if you want to use any of Mailman's VERP like
options. All the templates and regexps are set to use '+' as the
delimiter, although they can be changed to use '-', it's tedious at
best.


>19. Add mailman to www group. I don't know if this is a good security
>practice (I suspect it's a bad idea) but I was unable to get Mailman to
>work without this step.
>
>In /etc/group and /var/www/etc/group:
>
>www:*:67:mailman
>
>and restart Apache and mailman:
>
>apachectl restart
>/var/www/mailman/bin/mailmanctl restart


Presumably, if this is necessary, it's because SETGID doesn't work for
the wrappers inside the jail.


>20. (Necessary?) Find which postalias stuff needs to go into the chroot 
>jail:
>
>  ldd /usr/local/sbin/postalias


If you need to do this for postalias, you also will need it for postmap
because the same thing applies to data/virtual-mailman*.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list