Carl Parsons wrote: > >I rebuilt suexec so docroot is > >-bash-3.2# suexec -V > -D AP_DOC_ROOT="/home" > -D AP_GID_MIN=100 > -D AP_HTTPD_USER="apache" > -D AP_LOG_EXEC="/var/log/httpd/suexec.log" > -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" > -D AP_UID_MIN=500 > -D AP_USERDIR_SUFFIX="public_html" > >created a directory /home/mailman to put the cgi-bin files copying from >/usr/lib/mailman/cgi-bin to >/home/mailman/cgi-bin
You didn't have to do that. See my reply at <http://mail.python.org/pipermail/mailman-users/2009-October/067490.html>. The important part of that reply is >First a big caveat. Mailman's security model is not compatible with >suexec. You can make it work if you only host a single domain, but >beyond that, it's a pain or impossible. Maybe your recompilation will >help. I don't know. [...] >suexec.log >[2009-10-21 10:32:43]: uid: (505/mysite.com) gid: (505/mysite) cmd: listinfo >[2009-10-21 10:32:43]: target uid/gid (505/505) mismatch with directory >(0/41) or program (0/41) > >When http is at mysite.com it executes as user mysite. Apache is trying to run the wrapper as suExec uid and gid uid: (505/mysite.com) gid: (505/mysite) Your wrappers and the directory containing them are owned by root and group 41 whatever that is. This is a violation of items 14 and 16 at <http://httpd.apache.org/docs/2.2/suexec.html>. Note that the wrapper also can't be SETGID (to any group), so everything will run as user/group 505/505 which in turn means that all mailman code must be readable by that user/group and all existing an future mutable data must be writable by that user/group. For practical purposes this means that Mailman must be configured/installed with GID 505. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
