On Tue, May 8, 2012 at 8:19 PM, Mark Sapiro <m...@msapiro.net> wrote:
> On 5/8/2012 11:16 AM, David wrote: > > On Tue, May 8, 2012 at 12:37 PM, David <d...@fiteyes.com> wrote: > > > > >>>>> # bin/check_perms -f > >>> No problems found > >>> > >>> All permissions are reported as OK now. The check_perms is a very handy > >>> script. Thanks for the suggestion to use it. > >>> > >> > >> > >> After fixing permissions, we lost web access to the public archive: > >> > >> Forbidden > >> > >> You don't have permission to access /archive/list/ on this server. > > > And this was probably because you saw the following > > Warning: Private archive directory is other-executable (o+x). > This could allow other users on your system to read private > archives. > If you're on a shared multiuser system, you should consult the > installation manual on how to fix this.""") > > And you then did the equivalent of > > chmod o-x archives/private/ > > without actually reading and understanding the warning in the > installation manual at <http://www.list.org/mailman-install/node9.html>. > > Good guess, but no, I did not do that. All I did was run bin/check_perms -f several times. Permissions were left exactly as check_perms -f set them: drwxrwsr-x > > > The fix was relatively easy. Apache runs as user www-data. After running > > bin/check_perms, I had to run: > > chown -R www-data /var/lib/mailman/archives/private > > > The -R in the above is unnecessary as all the subordinates should be > world readable and searchable already. For whatever reason, it did not work even with the world readable and searchable permissions until I changed ownerships recursively. > You only need to ensure that the > web server can search the archives/private/ directory to find the > archives/private/LISTNAME directories pointed to by the > archives/public/LISTNAME symlinks. > > Thus, archives/private/ must be either o+x or owned by the web server > user (Its group must be Mailman's group, 'list' in your case). That was the case. But I got the permissions errors until I also set the owner to www-data (apache user). So I can't say I understand the problem. It is working now, and I will study your responses and see if I can come to a better understanding. > The only > problem with its being o+x is if you have local, shell access users on > your server for whom you want to ensure no access to private list archives. > ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
