Re: [Mailman-Users] cgi wrappers not properly executing

[Mark Sapiro]

On 12/16/2016 11:17 AM, John Covici wrote:
> On Fri, 16 Dec 2016 13:04:50 -0500,
> Mark Sapiro wrote:
>>
>> Is anything written to mailman's error log after you made it world writable?
> 
> When I did that, I got permission errors on the config.pck of the list
> since I was doing  http://lists.ccs.covici.com/mailman/admin/


I understand that you said that. I am curious if anything was written to
Mailman's error log and if so, what?


> so the only way I was able to proceed was to either make the whole
> tree rw, or make it owned by apache, but I was hoping for a better
> solution.  I wonder if there is some apache config I have wrong which
> is making the cgi's not execut properly?


Making the whole tree owned by apache is a workaround, and I understand
you want it to work as it should, so let's keep trying.

Do you have any security manager such as SELinux enabled? If so, try
disabling it and see if that helps.

There is also a mail wrapper, probably /usr/lib/mailman/mail/mailman. It
is also group mailman and SETGID and is used by the MTA's aliases to
pipe mail to Mailman. It's tricky because depending on your MTA and how
it executes a pipe for local delivery, it may already be running the
pipe as group mailman, but if not, the SETGID functionality is required
for it to work.

So the first question is how is the MTA delivering to Mailman? E.g. if
it is Postfix and Mailman's aliases are in an alias.db file owned by
mailman, the SETGID isn't needed and successful mail delivery doesn't
prove it works for this, but otherwise successful mail delivery may
prove SETGID works for this file and the question becomes what is
different about Apache and the CGIs.

As far as Apache is concerned, All I'm aware of is suEXEC. If you have
suEXEC enabled, see ,
but as far as I know, suEXEC won't interfere with SETGID on the mailman
CGI wrappers; a suEXEC problem will just prevent the CGI wrapper from
being run at all.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cgi wrappers not properly executing

[John Covici]

On Fri, 16 Dec 2016 13:04:50 -0500,
Mark Sapiro wrote:
> 
> On 12/16/2016 09:20 AM, John Covici wrote:
> > 
> > hmmm, the file system is mounted normally like this:
> > rpool/usr on /usr type zfs (rw,relatime,xattr,noacl)
> > and I verified that its capable of setting the bit according to its
> > properties.
> 
> 
> Then the CGIs are running as effective group mailman which should have
> permission.
> 
> Is this a SELinux or other security manager issue? see
> 
> 
> Is anything written to mailman's error log after you made it world writable?

When I did that, I got permission errors on the config.pck of the list
since I was doing  http://lists.ccs.covici.com/mailman/admin/
so the only way I was able to proceed was to either make the whole
tree rw, or make it owned by apache, but I was hoping for a better
solution.  I wonder if there is some apache config I have wrong which
is making the cgi's not execut properly?

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici
 cov...@ccs.covici.com
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] bin/genaliases not generating aliases?

[Caesar Samsi]

Well this certainly might make it easier for me. I'll give the package a try.

Thank you.



Sent from my Samsung Tablet

Mark Sapiro  wrote:
On 12/16/2016 08:52 AM, Barry S. Finkel wrote:
>
> As I have written before, one can easily create a Debian/Ubuntu package
> for Mailman 2.x based on the SourceForge source.  Contact me for
> details.  This will install Mailman in the directories that
> Debian/Ubuntu uses, and I assume that installing the package will
> overwrite any existing Debian/Ubuntu installation.


Thanks Barry.

Also note there is an article at  that
discusses how to upgrade the Debian/Ubuntu package from source.

Also note that there is a current (2.1.23) Ubuntu Mailman package at
 with links to the .deb for
all supported architectures and similarly for Debian at
.

--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/cmsamsi%40hotmail.com
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cgi wrappers not properly executing

[Mark Sapiro]

On 12/16/2016 09:20 AM, John Covici wrote:
> 
> hmmm, the file system is mounted normally like this:
> rpool/usr on /usr type zfs (rw,relatime,xattr,noacl)
> and I verified that its capable of setting the bit according to its
> properties.


Then the CGIs are running as effective group mailman which should have
permission.

Is this a SELinux or other security manager issue? see


Is anything written to mailman's error log after you made it world writable?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] bin/genaliases not generating aliases?

[Mark Sapiro]

On 12/16/2016 08:52 AM, Barry S. Finkel wrote:
> 
> As I have written before, one can easily create a Debian/Ubuntu package
> for Mailman 2.x based on the SourceForge source.  Contact me for
> details.  This will install Mailman in the directories that
> Debian/Ubuntu uses, and I assume that installing the package will
> overwrite any existing Debian/Ubuntu installation.


Thanks Barry.

Also note there is an article at  that
discusses how to upgrade the Debian/Ubuntu package from source.

Also note that there is a current (2.1.23) Ubuntu Mailman package at
 with links to the .deb for
all supported architectures and similarly for Debian at
.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cgi wrappers not properly executing

[John Covici]

On Fri, 16 Dec 2016 11:10:00 -0500,
Mark Sapiro wrote:
> 
> On 12/15/2016 10:48 PM, John Covici wrote:
> > 
> > When I try to do anything on the web, I get permission denied error on
> > /var/lib/mailman/logs/error  .  If I then make that file world
> > read/write, I get permission denied error on config.pck of the list I
> > am trying to access.
> > 
> > Now, everything under /var/lib/mailman is owned by mailman.mailman and
> > the cgi wrappers are all like the following:
> > -rwxr-sr-x 1 mailman mailman 10512 Nov 16 12:45
> > /usr/lib/mailman/cgi-bin/admin
> 
> 
> Probably the file system containing /usr/lib/mailman/cgi-bin/ is mounted
> with the 'nosuid' option so the SETGID bit on the wrapper is not effective.
> 
> You could work around this by changing the ownership of everything to
> webuser:mailman where webuser is the user the web server runs the CGIs
> as, but better to mount the filsystem suid.

hmmm, the file system is mounted normally like this:
rpool/usr on /usr type zfs (rw,relatime,xattr,noacl)
and I verified that its capable of setting the bit according to its
properties.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici
 cov...@ccs.covici.com
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] bin/genaliases not generating aliases?

[Barry S. Finkel]

On Dec 15, 2016, at 8:31 PM, Mark Sapiro  wrote:

On 12/15/2016 08:26 PM, Caesar Samsi wrote:

The mm_cfg.py is in /etc/mailman



Which is the one from the Debian/Ubuntu package, not the one that your
latest install is using.

The one you need to put your settings in is
/usr/local/mailman/Mailman/mm_cfg.py.

--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



On 12/15/2016 10:33 PM, Caesar Samsi wrote:
> Yeah, in the ubuntu package the file was in /etc/mailman so I thought 
installing from scratch it would be there too!

>
> I will try in your location now.



As I have written before, one can easily create a Debian/Ubuntu package
for Mailman 2.x based on the SourceForge source.  Contact me for
details.  This will install Mailman in the directories that
Debian/Ubuntu uses, and I assume that installing the package will
overwrite any existing Debian/Ubuntu installation.

--Barry Finkel
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cgi wrappers not properly executing

[Mark Sapiro]

On 12/15/2016 10:48 PM, John Covici wrote:
> 
> When I try to do anything on the web, I get permission denied error on
> /var/lib/mailman/logs/error  .  If I then make that file world
> read/write, I get permission denied error on config.pck of the list I
> am trying to access.
> 
> Now, everything under /var/lib/mailman is owned by mailman.mailman and
> the cgi wrappers are all like the following:
> -rwxr-sr-x 1 mailman mailman 10512 Nov 16 12:45
> /usr/lib/mailman/cgi-bin/admin


Probably the file system containing /usr/lib/mailman/cgi-bin/ is mounted
with the 'nosuid' option so the SETGID bit on the wrapper is not effective.

You could work around this by changing the ownership of everything to
webuser:mailman where webuser is the user the web server runs the CGIs
as, but better to mount the filsystem suid.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] cgi wrappers not properly executing

[John Covici]

Hi.  I am using mailman 2.1.23 on a gentoo system.  I run in to the
following problem:

When I try to do anything on the web, I get permission denied error on
/var/lib/mailman/logs/error  .  If I then make that file world
read/write, I get permission denied error on config.pck of the list I
am trying to access.

Now, everything under /var/lib/mailman is owned by mailman.mailman and
the cgi wrappers are all like the following:
-rwxr-sr-x 1 mailman mailman 10512 Nov 16 12:45
/usr/lib/mailman/cgi-bin/admin

Check_perms says no problems.

I am using apache 2.4.23 and here is what loads with mailman
ScriptAlias /mailman/ "/usr/lib/mailman/cgi-bin/"


Options +execcgi
require all granted


Alias /pipermail/ "/var/lib/mailman/archives/public/"


AllowOverride None
Options ExecCGI FollowSymLinks
require all granted

#namevirtualhost lists.ccs.covici.com

DocumentRoot /var/www
ServerName lists
 ServerAlias lists.*
 UseCanonicalName Off
 ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
 Alias /icons/ /usr/lib/mailman/icons/
 Alias /pipermail/ /var/lib/mailman/archives/public/
 
  Options FollowSymLinks
 

Options +execcgi
require all granted



 

Any assistance will be greatly appreciated.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici
 cov...@ccs.covici.com
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org