[Mailman-Users] OSError: [Errno 13] Permission denied /var/lib/mailman/archives/private/list/attachments: No such file or directory

David dave at fiteyes.com
Wed May 9 02:39:54 CEST 2012 

On Tue, May 8, 2012 at 8:19 PM, Mark Sapiro <mark at msapiro.net> wrote:

> On 5/8/2012 11:16 AM, David wrote:
> > On Tue, May 8, 2012 at 12:37 PM, David <dave at fiteyes.com> wrote:
> >
>
> >>>>> # bin/check_perms -f
> >>> No problems found
> >>>
> >>> All permissions are reported as OK now. The check_perms is a very handy
> >>> script. Thanks for the suggestion to use it.
> >>>
> >>
> >>
> >> After fixing permissions, we lost web access to the public archive:
> >>
> >> Forbidden
> >>
> >> You don't have permission to access /archive/list/ on this server.
>
>
> And this was probably because you saw the following
>
> Warning: Private archive directory is other-executable (o+x).
>         This could allow other users on your system to read private
> archives.
>         If you're on a shared multiuser system, you should consult the
>         installation manual on how to fix this.""")
>
> And you then did the equivalent of
>
>  chmod o-x archives/private/
>
> without actually reading and understanding the warning in the
> installation manual at <http://www.list.org/mailman-install/node9.html>.
>
>
Good guess, but no, I did not do that. All I did was run bin/check_perms -f
several times.
Permissions were left exactly as check_perms -f set them:
drwxrwsr-x



>
> > The fix was relatively easy. Apache runs as user www-data. After running
> > bin/check_perms, I had to run:
> > chown -R www-data /var/lib/mailman/archives/private
>
>
> The -R in the above is unnecessary as all the subordinates should be
> world readable and searchable already.


For whatever reason, it did not work even with the world readable and
searchable permissions until I changed ownerships recursively.



> You only need to ensure that the
> web server can search the archives/private/ directory to find the
> archives/private/LISTNAME directories pointed to by the
> archives/public/LISTNAME symlinks.
>
> Thus, archives/private/ must be either o+x or owned by the web server
> user (Its group must be Mailman's group, 'list' in your case).


That was the case. But I got the permissions errors until I also set the
owner to www-data (apache user).

So I can't say I understand the problem. It is working now, and I will
study your responses and see if I can come to a better understanding.


> The only
> problem with its being o+x is if you have local, shell access users on
> your server for whom you want to ensure no access to private list archives.
>

More information about the Mailman-Users mailing list