[Mailman-Users] Internal Server Error

[Mark Sapiro]

Carl Parsons wrote:
>
>I rebuilt suexec so docroot is
>
>-bash-3.2# suexec -V
> -D AP_DOC_ROOT="/home"
> -D AP_GID_MIN=100
> -D AP_HTTPD_USER="apache"
> -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
> -D AP_UID_MIN=500
> -D AP_USERDIR_SUFFIX="public_html"
>
>created a directory /home/mailman to put the cgi-bin files copying from 
>/usr/lib/mailman/cgi-bin to
>/home/mailman/cgi-bin


You didn't have to do that.

See my reply at
<http://mail.python.org/pipermail/mailman-users/2009-October/067490.html>.
The important part of that reply is


>First a big caveat. Mailman's security model is not compatible with
>suexec. You can make it work if you only host a single domain, but
>beyond that, it's a pain or impossible. Maybe your recompilation will
>help. I don't know.

[...]
>suexec.log
>[2009-10-21 10:32:43]: uid: (505/mysite.com) gid: (505/mysite) cmd: listinfo
>[2009-10-21 10:32:43]: target uid/gid (505/505) mismatch with directory 
>(0/41) or program (0/41)
>
>When http is at mysite.com it executes as user mysite.


Apache is trying to run the wrapper as suExec uid and gid
uid: (505/mysite.com) gid: (505/mysite)

Your wrappers and the directory containing them are owned by root and
group 41 whatever that is. This is a violation of items 14 and 16 at
<http://httpd.apache.org/docs/2.2/suexec.html>.

Note that the wrapper also can't be SETGID (to any group), so
everything will run as user/group 505/505 which in turn means that all
mailman code must be readable by that user/group and all existing an
future mutable data must be writable by that user/group.

For practical purposes this means that Mailman must be
configured/installed with GID 505.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan