Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On 9/14/05 10:46 AM, Sam Gamgee [EMAIL PROTECTED] wrote: yes yes yes. I know that. but the results are not permanent. My problem is trying to find out why. If the fixes are not permanent, then something is fixing them. My memory of the thread says that this happens periodically. I've now forgotten what aspect of the fix isn't permanent in your case. If it is the setgid bit, then perhaps there is a periodic nanny process which removes dangerous setgid bits. If so, there probably is a these are OK list associated with the process. Traditionally, one looked carefully at what is run by cron...in some cases that no longer suffices...for example Apple has moved much of the periodic stuff out of cron into their launchd thing. (Which probably isn't really theirs, but Mac OS X is where I encounter the beast.) --John -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On Wed, Sep 14, 2005 at 04:11:22AM +0200, Sam Gamgee wrote: -I installed mailman on a debian server with postfix. From debian mailman package or from source? -- Sythos - http://www.sythos.net () ASCII Ribbon Campaign - against html/rtf/vCard in mail /\- against M$ attachments -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On Wednesday 14 September 2005 08:15, Sythos wrote: On Wed, Sep 14, 2005 at 04:11:22AM +0200, Sam Gamgee wrote: -I installed mailman on a debian server with postfix. From debian mailman package or from source? I'm sorry I was mistaken earlier. It's a ubuntu server and not debian. I installed the mailman package first. Here however I received: QUOTE Command output: Group mismatch error. Mailman expected the mail wrapper script to be executed as group daemon, but the system's mail server executed the mail script as group mailman. Try tweaking the mail server to run the script as group daemon, or re-run configure, providing the command line option `--with-mail-gid=mailman'. /QUOTe I then installed from source with the --with-mail-gid=mailman option. Thats the situation I'm in now - I can mail, but I can't use the web interface properly. aron -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On Wed, 2005-09-14 at 16:08 +0200, Sam Gamgee wrote: I then installed from source with the --with-mail-gid=mailman option. Thats the situation I'm in now - I can mail, but I can't use the web interface properly. What did you specify as --with-cgi-gid? Both mail and cgi have to line up with how your MTA and web server respectively execute sub-programs. Also, being a bit more specific with how the web interface is not working properly would help solve your problem. -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On Wed, 2005-09-14 at 18:45 +0200, Sam Gamgee wrote: yes I have run check_perms several times. I often get wrong group errors such as: /var/lib/mailman/logs/qrunner bad group (has: list, expected mailman) /var/lib/mailman/logs/smtp bad group (has: list, expected mailman) I don't know what keep causing these, but so far they don't seem to have any negative effects. If check_perms is reporting problems you've got problems you need to fix. By default check_perms only reports problems, it does not fix them, to fix them you need to supply the -f argument. If your cgi wrappers are not group mailman then its setgid property is not going to work the way you expect. For instance if its group list then its going to execute as group list and the fact the files it references are -rw-rw mailman:mailman won't help because they are not in the group list. Make sense? -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On Wednesday 14 September 2005 19:29, you wrote: On Wed, 2005-09-14 at 18:45 +0200, Sam Gamgee wrote: yes I have run check_perms several times. I often get wrong group errors such as: /var/lib/mailman/logs/qrunner bad group (has: list, expected mailman) /var/lib/mailman/logs/smtp bad group (has: list, expected mailman) I don't know what keep causing these, but so far they don't seem to have any negative effects. If check_perms is reporting problems you've got problems you need to fix. By default check_perms only reports problems, it does not fix them, to fix them you need to supply the -f argument. yes yes yes. I know that. but the results are not permanent. My problem is trying to find out why. If your cgi wrappers are not group mailman then its setgid property is not going to work the way you expect. For instance if its group list then its going to execute as group list and the fact the files it references are -rw-rw mailman:mailman won't help because they are not in the group list. Make sense? which file permissions are wrong? which ones do I have to change? check_perms -f changes get undone constantly and I don't know by what. if check_perms reports some group list and not mailman stuff I don't experience any problems and nothing changes when I fix them. When my web-interface doesn't work i.e. ls -l /var/lib/mailman/lists/listname/ total 24 -rw-rw1 mailman mailman 4284 Sep 14 12:00 config.pck then it will not work regardless of what check_perms says or does. all I know is: if I chown -R www-data /var/lib/mailman/lists then it works again. *help* -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13
On Wed, 2005-09-14 at 19:46 +0200, Sam Gamgee wrote: yes yes yes. I know that. but the results are not permanent. My problem is trying to find out why. I'm trying to tell you why :-) Below are the cgi wrappers on my system as a reference point, adjust the path for your installation. The key thing to note here is the wrapper (anything in the mailman/cgi-bin directory) has two critical properties 1) it is in the group mailman 2) it is setgid (the s flag in the group execute field) What this means is when some entity (e.g. your web server, apache) runs one of this cgi-bin programs the OS will note the files is setgid and then run the program as the group the program file belongs to (e.g. mailman). Without setgid sticky bit the OS will run the program as the group belonging to the entity that invoked it (in this case apache) which appears from your description as to what is happening, the group ownerships are getting changed to apache's group. To further expand on what is happening: when one of these cgi-bin wrappers is called the very first thing it does is ask the following question Who called me? If they are not in a group I trust I refuse to execute because I only work on behest of a select set of trusted groups. For the cgi-bin wrappers that set of groups is the set of groups belonging to your web server and what is set via --with-cgi-gid. If the entity that invoked the wrapper is not in the set of trusted groups you get a group mismatch error and the wrapper exits. If the trust test passes the wrapper continues to execute in the group mailman (because the wrapper's file has the setgid sticky bit set and belongs to the group mailman). If either the setgid sticky bit is not set -or- the wrappers file is not group mailman you're going to get the type of permission problems you're seeing. FWIW, the description applies to the mail wrapper and the MTA, just change the names ;-) % ls -l /usr/lib/mailman/cgi-bin/ total 264 -rwxr-sr-x 1 root mailman 18345 Mar 7 2005 admin -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 admindb -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 confirm -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 create -rwxr-sr-x 1 root mailman 18353 Mar 7 2005 edithtml -rwxr-sr-x 1 root mailman 18353 Mar 7 2005 listinfo -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 options -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 private -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 rmlist -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 roster -rwxr-sr-x 1 root mailman 18353 Mar 7 2005 subscribe -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13 SOLVED
% ls -l /usr/lib/mailman/cgi-bin/ total 264 -rwxr-sr-x 1 root mailman 18345 Mar 7 2005 admin -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 admindb -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 confirm -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 create -rwxr-sr-x 1 root mailman 18353 Mar 7 2005 edithtml -rwxr-sr-x 1 root mailman 18353 Mar 7 2005 listinfo -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 options -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 private -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 rmlist -rwxr-sr-x 1 root mailman 18349 Mar 7 2005 roster -rwxr-sr-x 1 root mailman 18353 Mar 7 2005 subscribe thanks! that did it. the permissions were wrong, and they weren't being corrected by check_perms -f for me it was: /var/lib/mailman/cgi-bin/ which is: /var/lib/mailman/cgi-bin - /usr/lib/cgi-bin/mailman anyway. it works now :)) thank you for your patience. cheers. aron -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] config.pck, apache, permissions and Errno 13 SOLVED
On Wed, 2005-09-14 at 21:47 +0200, Sam Gamgee wrote: thanks! that did it. the permissions were wrong, and they weren't being corrected by check_perms -f for me it was: /var/lib/mailman/cgi-bin/ which is: /var/lib/mailman/cgi-bin - /usr/lib/cgi-bin/mailman hmm... it's troubling that check_perms -f didn't fix this, it should have. I can only think of two reasons check_perms would miss the cgi-bin files 1) Its a non-standard installation and check_perms was not updated to reflect the new installation. 2) The fact the cgi-bin directory is a symbolic link (but I would expect that to be transparent because links should just be followed). You might want to run check_perms with the -v verbose option (without the -f it won't change anything). With verbose it will tell you exactly what its checking. You could do something like check_perms -v | grep cgi If you don't get something like the output below then you need to file a bug against whoever provided your mailman package for why check_perms is missing your cgi-bin directory. [EMAIL PROTECTED] Mailman]# /usr/lib/mailman/bin/check_perms -v | grep cgi checking gid and mode for /usr/lib/mailman/cgi-bin checking gid and mode for /usr/lib/mailman/cgi-bin/confirm checking gid and mode for /usr/lib/mailman/cgi-bin/admindb checking gid and mode for /usr/lib/mailman/cgi-bin/listinfo checking gid and mode for /usr/lib/mailman/cgi-bin/private checking gid and mode for /usr/lib/mailman/cgi-bin/admin checking gid and mode for /usr/lib/mailman/cgi-bin/roster checking gid and mode for /usr/lib/mailman/cgi-bin/subscribe checking gid and mode for /usr/lib/mailman/cgi-bin/rmlist checking gid and mode for /usr/lib/mailman/cgi-bin/create checking gid and mode for /usr/lib/mailman/cgi-bin/edithtml checking gid and mode for /usr/lib/mailman/cgi-bin/options checking cgi-bin permissions checking set-gid for /usr/lib/mailman/cgi-bin/confirm checking set-gid for /usr/lib/mailman/cgi-bin/admindb checking set-gid for /usr/lib/mailman/cgi-bin/listinfo checking set-gid for /usr/lib/mailman/cgi-bin/private checking set-gid for /usr/lib/mailman/cgi-bin/admin checking set-gid for /usr/lib/mailman/cgi-bin/roster checking set-gid for /usr/lib/mailman/cgi-bin/subscribe checking set-gid for /usr/lib/mailman/cgi-bin/rmlist checking set-gid for /usr/lib/mailman/cgi-bin/create checking set-gid for /usr/lib/mailman/cgi-bin/edithtml checking set-gid for /usr/lib/mailman/cgi-bin/options -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] config.pck, apache, permissions and Errno 13
hello everyone, I am writing this e-mail as a sort of last resort. Believe me I've tried hard, but can't find a solution to the following problem. -I installed mailman on a debian server with postfix. -all mailing lists work. -webinterface works. now, whenever the cronscripts run, or somebody sends a mail over one of the lists, the permissions of some file (usually something like: /var/lib/mailman/lists/listname/config.pck) will change from www:mailman to mailman:mailman. after this happens, I can no longer access the web-interface. The result: Bug in Mailman version 2.1.5 We're sorry, we hit a bug! If you would like to help us identify the problem, please email a copy of this page to the webmaster for this site with a description of what happened. Thanks! Traceback: Traceback (most recent call last): File /var/lib/mailman/scripts/driver, line 87, in run_main main() File /var/lib/mailman/Mailman/Cgi/listinfo.py, line 47, in main mlist = MailList.MailList(listname, lock=0) File /var/lib/mailman/Mailman/MailList.py, line 128, in __init__ self.Load() File /var/lib/mailman/Mailman/MailList.py, line 593, in Load dict, e = self.__load(file) File /var/lib/mailman/Mailman/MailList.py, line 559, in __load fp = open(dbfile) IOError: [Errno 13] Permission denied: '/var/lib/mailman/lists/listname/config.pck' I tried many things including: I have tried forcing the permissions by doing a chmod u+s. that didn't work ls -l drwsrwsr-x6 www-data mailman 4096 Sep 9 01:11 listname I tried to change MAILMAN_USER = 'www-data' in /usr/lib/mailman/Mailman/mm_cfg.py but this resulted in a Mailman mail-wrapper: Group mismatch error. I was then thorougly confused by suexec stuff http://www.python.org/cgi-bin/faqw-mm.py?req=recentdays=365250 -see 6.17. Apache+Suexec one the one hand, this suggests I should run everything as mailman:mailman and on the other hand I am warned strongly against this in the mailman installation docs. not to mention that the apache docs concerning suexec are daunting. well as apache doc are ;-) and DON'T tell me to run check_perms! *grin* so now here is my question: can anybody help me? thank you aron -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp