[Mailman-Users] Issues with mailman

Mark Sapiro mark at msapiro.net
Wed Nov 16 00:43:15 CET 2011 

Chris Petrik wrote:
>
>Now when I try to go to the admin section of the webui for the mailing I 
>get the bug page. Which is easily fixed by changing the owner from 
>mailman to www.
>
>I tried adding mailman to group www but that doesn't seem to work.


It should work. See the FAQ at <http://wiki.list.org/x/tYA9> for more
on this, but basically, Mailman's directories are group mailman and
SETGID so that subordinate files are created with group mailman.
Mailman's Cgi wrappers and mail wrapper are group mailman and SETGID
so they run with effective group mailman. Mailman's qrunners run as
user:group mailman:mailman.

The whole thing is based on anything that is running in group mailman
has write permission on all the mutable directories and their contents.

If your OS does not allow user:group www:mailman to do certain
operations on files owned by mailman:mailman even though the mailman
group has write permission and likewise for group mailman:mailman on
files owned by www:mailman, you will not be able to avoid these issues.

Mailman is known to work on FreeBSD, so there must be something you can
do to enable this.

In a followup Chris added:

>I recompiled mailman with the cgi_gid changed to mailman and the apache 
>config to be changed as AssignUserID mailman mailman and now I don't get 
>the bug page and all is well.


This is not a good idea. It means the web server now runs as
mailman:mailman and can access anything in Mailman's tree without
necessarily going through the authentication in the CGIs. There may
not be any URLs that can do this, but consider
http://www.example.com/pipermail/../../lists for example.


>I will continue to monitor the mailman 
>services too see if any more perm issues arise before I create 
>production mailing lists.
>
>I am not sure if this is the proper way to run mailman but it seems to 
>work, since the web panel is always open to issues and bug reports which 
>is awesome it is not that hard to explain to them the issue and have 
>them fix it.  Seems rather obvious mailman creates files as user mailman 
>but editing the files in a web browser creates the files as the running 
>user of the web server IE: www if I am not mistaken using the itk patch 
>will allow the web server to create/edit files as the user set in the 
>AssignUSerID directive in apache.


I don't know how your web server works, but the owner = www or mailman
shouldn't matter as everything should be based on group. Possibly, the
issue is the web server is not honoring the SETGID bit on the CGI
wrappers.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list