Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Luca Capello]

tag 603904 + patch
user cont...@itopie.ch
usertags 603904 + debian-packaging
thanks

Hi there!

On Sat, 08 Mar 2014 20:56:15 +0100, b...@debian.org wrote:
> I confirm the problem.  FYI here's the permissions at Gna(.org) that
> have been working for at least 2 years, more likely 10:
>
>   drwxrws--- 4065 www-data list 139264 Mar  8 17:30 
> /var/lib/mailman/archives/private/

The above reflects both /usr/share/doc/mailman/mailman-install.txt.gz
From wheezy (1:2.1.15-1) and sid (1:2.1.16-2), as well as the online
documentation:

  

--8<---cut here---start->8---
   4 Check your installation

   After you've run make install, you should check that your installation
   has all the correct permissions and group ownerships by running the
   check_perms script.
[...]
   Warning: If you're running Mailman on a shared multiuser system, and
   you have mailing lists with private archives, you may want to hide the
   private archive directory from other users on your system. In that
   case, you should drop the other execute permission (o-x) from the
   archives/private directory. However, the web server process must be
   able to follow the symbolic link in public directory, otherwise your
   public Pipermail archives will not work. To set this up, become root
   and run the following commands:

# cd /archives
# chown  private
# chmod o-x private

   You need to know what user your web server runs as. It may be www,
   apache, httpd or nobody, depending on your server's configuration.
--8<---cut here---end--->8---

However, the above is still not the case on a default wheezy
(1:2.1.15-1) installation: list:www-data for private and root:list for
public.  And indeed, the current Debian settings cause a permission
error, everything is OK for www-data, but not for list:
=
root@maison:~# ls -l /var/lib/mailman/archives/*
/var/lib/mailman/archives/private:
total 16
drwxrwsr-x 2 root www-data 4096 Mar 29 15:28 mailman
drwxrwsr-x 2 root www-data 4096 Mar 29 15:28 mailman.mbox
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test.mbox

/var/lib/mailman/archives/public:
total 0
lrwxrwxrwx 1 www-data list 38 Mar 29 18:02 test -> 
/var/lib/mailman/archives/private/test
root@maison:/etc# ls -lR /var/lib/mailman/archives/*
/var/lib/mailman/archives/private:
total 16
drwxrwsr-x 2 root www-data 4096 Mar 29 15:28 mailman
drwxrwsr-x 2 root www-data 4096 Mar 29 15:28 mailman.mbox
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test.mbox

/var/lib/mailman/archives/private/mailman:
total 4
-rw-rw-r-- 1 root www-data 573 Mar 29 15:28 index.html

/var/lib/mailman/archives/private/mailman.mbox:
total 0

/var/lib/mailman/archives/private/test:
total 4
-rw-rw-r-- 1 www-data www-data 564 Mar 29 18:02 index.html

/var/lib/mailman/archives/private/test.mbox:
total 0

/var/lib/mailman/archives/public:
total 0
lrwxrwxrwx 1 www-data list 38 Mar 29 18:02 test -> 
/var/lib/mailman/archives/private/test
root@maison:~# 
=

Simply doing as Sylvain and upstream suggest is enough, which actually
reflects the public folder permissions:
=
root@maison:~# chown www-data:list /var/lib/mailman/archives/private/
root@maison:~# chgrp -R list /var/lib/mailman/archives/private/
=

Please note that Yubao Liu already pointed this out, both on this bug as
well as on the Debian Mailman list:

  
  


The patch is trivial:

--8<---cut here---start->8---
diffstat for mailman-2.1.16 mailman-2.1.16

 changelog |9 +
 rules |2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff -Nru mailman-2.1.16/debian/changelog mailman-2.1.16/debian/changelog
--- mailman-2.1.16/debian/changelog 2014-02-03 14:01:47.0 +0100
+++ mailman-2.1.16/debian/changelog 2014-03-30 16:44:58.0 +0200
@@ -1,3 +1,12 @@
+mailman (1:2.1.16-3~fix603904.1) UNRELEASED; urgency=medium
+
+  * debian/rules:
++ fix ownership on /var/lib/mailman/archives/private as upstream
+  suggests, also reflecting group ownership for public archives
+  (Closes: #603904).
+
+ -- Luca Capello   Sun, 30 Mar 2014 16:44:58 +0200
+
 mailman (1:2.1.16-2) unstable; urgency=medium
 
   * Upload to unstable, as requested by Thijs; we did not encounter
diff -Nru mailman-2.1.16/debian/rules mailman-2.1.16/debian/rules
--- mailman-2.1.16/debian/rules 2014-02-03 13:47:42.0 +0100
+++ mailman-2.1.16/debian/rules 2014-03-30 17:18:22.0 +0200
@@ -179,7 +179,7 @@
debian/mailman/usr/lib/$(package)/Mailman/Cgi/*
 
chmod o-rx debian/mailman/var/lib/$(package)/archives/pr

Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[beuc]

I confirm the problem.  FYI here's the permissions at Gna(.org) that
have been working for at least 2 years, more likely 10:

  drwxrws--- 4065 www-data list 139264 Mar  8 17:30 
/var/lib/mailman/archives/private/

Easy enough? :)

-- 
Sylvain


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Bug#603904: Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Thorsten Glaser]

On Sun, 22 Jul 2012, Thijs Kinkhorst wrote:

> Indeed this entire bug stems from the conflict that there is between the
> need of Mailman to write to that directory (as list), and for Mailman (as
> www-data) to be able to read it.

How about we add a second group and patch upstream sources
to use that group in check_perms for the archive related
things, and add the list user and possibly the www-data
user to that automatically? (Ouch. More work. And upstream
isn’t going to like us poking around in mailman2 either.)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Thijs Kinkhorst]

On Wed, July 18, 2012 14:09, Thorsten Glaser wrote:
>> This means that any (php/perl/python) script running with the webserver
>> privileges can potentially read/write to /var/lib/mailman/data .
>
> Hrm. So does the other way: mailman can read/write apache's stuff.
> It may not be quite that big an attack surface, but... *shrug*
>
> I think fix_perms -f should be run in postinst, once. And if we
> want to adopt your way round, fix_perms must be fixed... gah.

Well, I don't think we must run check_perms -f at all, we need to install
things in the way we think the permissions are correct, not run some
script later to change them.

Indeed this entire bug stems from the conflict that there is between the
need of Mailman to write to that directory (as list), and for Mailman (as
www-data) to be able to read it.

In any case it will be necessary for the www-data user to gain permission
to read the archives. Afterall, there's no other way to make private
archives work. The concept that on a shared host with Apache using
www-data different apps can read eachother's data must be considered known
to the admin - this goes for any web app you install in such a scenario.


Cheers,
Thijs


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Thorsten Glaser]

On Wed, 18 Jul 2012, Luca Gibelli wrote:

> If you run fix_perms -f as you suggested, the dir is chgrp'ed to "list" 
> and then indeed you need to add the user "www-data" to the group "list" 
> to make the private  archive work.

Hum yes, but that’s how upstream does it.

> This means that any (php/perl/python) script running with the webserver 
> privileges can potentially read/write to /var/lib/mailman/data .

Hrm. So does the other way: mailman can read/write apache’s stuff.
It may not be quite that big an attack surface, but… *shrug*

I think fix_perms -f should be run in postinst, once. And if we
want to adopt your way round, fix_perms must be fixed… gah.

Thijs, any idea?

Thanks,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Luca Gibelli]

> > but if you chgrp the dir to "list", then the webserver cannot access it
> > any longer, because its permissions are drwxrws---.
> Yes, that’s correct. If you want that,
>   sudo adduser www-data list
> not the other way round though.

By default, after installing mailman on debian wheezy, the dir is
chgrp'ed to www-data, that's why I suggested to add the user "list" 
to the "www-data" group, not the other way around.

This looks like the safest option to me.

If you run fix_perms -f as you suggested, the dir is chgrp'ed to "list" 
and then indeed you need to add the user "www-data" to the group "list" 
to make the private  archive work.
This means that any (php/perl/python) script running with the webserver 
privileges can potentially read/write to /var/lib/mailman/data .
Good luck with that.

CiauZ!

-- 
Luca 'NERvOus' Gibelli (nerv...@nervous.it || b...@oltrelinux.com)
Home Page: http://www.nervous.it

BOFH excuse 4063:
 * A plumber is needed, the network drain is clogged


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Thorsten Glaser]

On Wed, 18 Jul 2012, Luca Gibelli wrote:

> but if you chgrp the dir to "list", then the webserver cannot access it
> any longer, because its permissions are drwxrws---.

Yes, that’s correct. If you want that,
sudo adduser www-data list
not the other way round though.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Luca Gibelli]

> > This way mailman (running as "list") can write to
> > /var/lib/mailman/archive which is owned by group "www-data".
> Hrm, how about /usr/lib/mailman/bin/check_perms instead?

check_perms tells me:

/var/lib/mailman/archives/private bad group (has: www-data, expected
list)

but if you chgrp the dir to "list", then the webserver cannot access it
any longer, because its permissions are drwxrws---.

CiauZ!


-- 
Luca 'NERvOus' Gibelli (nerv...@nervous.it || b...@oltrelinux.com)
Home Page: http://www.nervous.it

BOFH excuse 4497:
 * Root name servers corrupted.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: [Pkg-mailman-hackers] Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Thorsten Glaser]

On Tue, 17 Jul 2012, NERvOus wrote:

> This way mailman (running as "list") can write to
> /var/lib/mailman/archive which is owned by group "www-data".

Hrm, how about /usr/lib/mailman/bin/check_perms instead?

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[NERvOus]

Package: mailman
Version: 1:2.1.15-1
Followup-For: Bug #603904

I confirm this problem is still happening on wheezy.
It only affects private archives.
The easy solution is to add the user "list" to the "www-data" group:

adduser list www-data
/etc/init.d/mailman restart

This way mailman (running as "list") can write to
/var/lib/mailman/archive which is owned by group "www-data".

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages mailman depends on:
ii  apache2  2.2.22-1
ii  apache2-mpm-prefork [httpd]  2.2.22-1
ii  cron 3.0pl1-121
ii  debconf [debconf-2.0]1.5.41
ii  libc62.13-27
ii  logrotate3.8.1-1
ii  lsb-base 3.2-28.1
ii  pwgen2.06-1+b2
ii  python   2.7.2-10
ii  ucf  3.0025+nmu2

Versions of packages mailman recommends:
ii  postfix [mail-transport-agent]  2.8.7-1

Versions of packages mailman suggests:
pn  listadmin 
ii  lynx  2.8.8dev.12-2
pn  spamassassin  

-- debconf information:
* mailman/site_languages: en
  mailman/queue_files_present: abort installation
* mailman/used_languages:
* mailman/default_server_language: en
* mailman/create_site_list:


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Olivier Berger]

Package: mailman
Version: 1:2.1.15-1
Followup-For: Bug #603904

Same here.

It would be great to have this fixed in time for wheezy.

Many thanks in advance.

Best regards,

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mailman depends on:
ii  apache2  2.2.22-9
ii  apache2-mpm-prefork [httpd]  2.2.22-9
ii  cron 3.0pl1-121
ii  debconf [debconf-2.0]1.5.44
ii  libc62.13-33
ii  logrotate3.8.1-4
ii  lsb-base 4.1+Debian7
ii  pwgen2.06-1+b2
ii  python   2.7.3~rc2-1
ii  ucf  3.0025+nmu3

Versions of packages mailman recommends:
ii  exim4  4.80-3
ii  exim4-daemon-heavy [mail-transport-agent]  4.80-3

Versions of packages mailman suggests:
pn  listadmin 
pn  lynx  
pn  spamassassin  

-- debconf information:
  mailman/queue_files_present: abort installation
* mailman/default_server_language: en
* mailman/site_languages: en
* mailman/used_languages: en
* mailman/create_site_list:



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Yubao Liu]

I also encounter this issue,  I sent an email to pkg-mailman-hackers@
but it's flooded by spams:
http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/2011-December/003877.html

It's said the permission is fixed[1], but it's not, currently 
"/var/lib/mailman/archives/private/"
is owned by "list:www-data", it should be "www-data:list", so mailman 
service's

qrunner can read/write child directories created by mailman web UI.

[1] 
http://packages.debian.org/changelogs/pool/main/m/mailman/mailman_2.1.14-3/changelog#version1:2.1.13-4


Regards,
Yubao Liu



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

[Schoepflin, Markus]

Package: mailman
Version: 1:2.1.13-4.1
Severity: important


After a fresh install of mailman, permissions on directories are wrong,
bin/check_perms reports 93 problems.

This breaks archiving:

---%<---
Nov 18 10:56:06 2010 (26393) Archive file access failure:
/var/lib/mailman/archives/private/test.mbox/test.mbox [Errno 13]
Permission denied:
'/var/lib/mailman/archives/private/test.mbox/test.mbox'
Nov 18 10:56:06 2010 (26393) Uncaught runner exception: [Errno 13]
Permission denied:
'/var/lib/mailman/archives/private/test.mbox/test.mbox'
Nov 18 10:56:06 2010 (26393) Traceback (most recent call last):
  File "/var/lib/mailman/Mailman/Queue/Runner.py", line 120, in _oneloop
self._onefile(msg, msgdata)
  File "/var/lib/mailman/Mailman/Queue/Runner.py", line 191, in _onefile
keepqueued = self._dispose(mlist, msg, msgdata)
  File "/var/lib/mailman/Mailman/Queue/ArchRunner.py", line 73, in
_dispose
mlist.ArchiveMail(msg)
  File "/var/lib/mailman/Mailman/Archiver/Archiver.py", line 198, in
ArchiveMail
self.__archive_to_mbox(msg)
  File "/var/lib/mailman/Mailman/Archiver/Archiver.py", line 167, in
__archive_to_mbox
mbox = self.__archive_file(afn)
  File "/var/lib/mailman/Mailman/Archiver/Archiver.py", line 155, in
__archive_file
return Mailbox.Mailbox(open(afn, 'a+'))
IOError: [Errno 13] Permission denied:
'/var/lib/mailman/archives/private/test.mbox/test.mbox'

Nov 18 10:56:06 2010 (26393) SHUNTING:
1290074144.429549+71b2d77d671432aa649fc260f9517c9bb0ec0ac2
--->%---

Googling around, I found this:
http://forums.debian.net/viewtopic.php?f=10&t=53941&start=0. But I don't
think a bug report has been raised yet.

Running chek_perms -f (as root) gets the number of reported problems
down to 10.

As a result, running "sudo bin/unshunt" now works and the mbox file is
created, and running "sudo -u list bin/arch test" reports success.

But now access to the list archives doesn't work any more, as now apache
is unable to access archives/public/test which links to
archives/private/test and apache is not able to access archives/private:

/var/lib/mailman/archives> ls -l
total 8
drwxrws--- 6 list list 4096 Nov 18 10:55 private
drwxrwsr-x 2 root list 4096 Nov 18 10:55 public


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages mailman depends on:
ii  apache2 2.2.16-3 Apache HTTP Server
metapackage
ii  apache2-mpm-prefork [ht 2.2.16-3 Apache HTTP Server -
traditional n
ii  cron3.0pl1-115   process scheduling daemon
ii  debconf [debconf-2.0]   1.5.36   Debian configuration
management sy
ii  libc6   2.11.2-7 Embedded GNU C Library:
Shared lib
ii  logrotate   3.7.8-6  Log rotation utility
ii  lsb-base3.2-23.1 Linux Standard Base 3.2
init scrip
ii  postfix [mail-transport 2.7.1-1  High-performance mail
transport ag
ii  pwgen   2.06-1+b1Automatic Password
generation
ii  python  2.6.6-3+squeeze1 interactive high-level
object-orie
ii  python-support  1.0.10   automated rebuilding
support for P
ii  ucf 3.0025+nmu1  Update Configuration File:
preserv

mailman recommends no packages.

Versions of packages mailman suggests:
pn  listadmin  (no description available)
ii  lynx2.8.8dev.5-1 Text-mode WWW Browser
(transitiona
pn  spamassassin   (no description available)

-- debconf information:
  mailman/gate_news: false
* mailman/site_languages: en
  mailman/queue_files_present: abort installation
* mailman/used_languages:
* mailman/default_server_language: en
* mailman/create_site_list:



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org