[Mailman-Users] Archive access Forbidden
Thank you in advance for replies. The list is now working fine however access to the archive is blocked : From: http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce On line: To see collection of prior postings to the list, visit the clicking link for bps_comps_print_announce Archives goes to: http://www.vizion2000.net/pipermail/bps_comps_print_announce/ with result: Forbidden You don't have permission to access/pipermail/bps_comps_print_announce/ on this server Attempt to view archives from Topic Section of the mailing list administration page using link for Go to list archives also fails Extract from httpd-error.log [Tue Dec 29 12:50:12 2009] [error] [client 62.49.197.51] attempt to invoke directory as script: /usr/local/mailman/cgi-bin/ [Tue Dec 29 12:50:47 2009] [error] [client 62.49.197.51] Symbolic link not allowed or link target not accessible: /usr/local/mailman/archives/public/bps_comps_print_announce, referer: http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce Extract from httpd.conf ScriptAlias /mailman /usr/local/mailman/cgi-bin Directory /usr/local/mailman Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all /Directory ScriptAlias /pipermail /usr/local/mailman/archives/public Directory /usr/local/mailman/archives/public Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off /Directory dns1# pwd /usr/local/mailman dns1# ls -l total 36 drwxrwsr-x 11 mailman mailman 2048 Dec 29 09:03 Mailman drwxrwsr-x 4 www www 512 Dec 28 13:07 archives drwxrwsr-x 2 root mailman 1024 Dec 28 13:07 bin drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cgi-bin drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cron drwxrwsr-x 2 mailman mailman 512 Dec 28 15:54 data drwxrwsr-x 2 root mailman 512 Dec 28 13:07 icons drwxrwsr-x 6 mailman mailman 512 Dec 28 15:45 lists drwxrwsr-x 2 root mailman 512 Dec 29 14:00 locks drwxrwsr-x 2 mailman mailman 512 Dec 29 09:04 logs drwxrwsr-x 2 root mailman 512 Dec 28 13:07 mail drwxrwsr-x 37 root mailman 512 Dec 28 13:07 messages drwxrwsr-x 5 root mailman 512 Dec 28 13:07 pythonlib drwxrwsr-x 11 mailman mailman 512 Dec 28 15:54 qfiles drwxrwsr-x 2 root mailman 512 Dec 28 13:07 scripts drwxrwsr-x 2 root mailman 512 Dec 28 13:07 spam drwxrwsr-x 38 root mailman 512 Dec 28 13:07 templates drwxrwsr-x 4 root mailman 512 Dec 28 13:07 tests dns1# cd archives dns1# ls -l total 4 drwxrws--- 10 www www 512 Dec 28 15:45 private drwxrwsr-x 2 www www 512 Dec 28 15:46 public dns1# cd private dns1# ls -l total 16 drwxrwsr-x 2 www www 512 Dec 19 17:58 bps_comp_print_chat drwxrwsr-x 2 www www 512 Dec 19 17:58 bps_comp_print_chat.mbox drwxrwsr-x 2 www www 512 Dec 19 17:57 bps_comp_print_reminders drwxrwsr-x 2 www www 512 Dec 19 17:57 bps_comp_print_reminders.mbox drwxrwsr-x 4 www www 512 Dec 29 03:27 bps_comps_print_announce drwxrwsr-x 2 www www 512 Dec 28 15:54 bps_comps_print_announce.mbox drwxrwsr-x 2 www www 512 Dec 28 15:45 mailman drwxrwsr-x 2 www www 512 Dec 28 15:45 mailman.mbox dns1# cd ../public dns1# ls -l total 0 lrwxr-xr-x 1 www www 55 Dec 19 17:58 bps_comp_print_chat - /usr/local/mailman/archives/private/bps_comp_print_chat lrwxr-xr-x 1 www www 60 Dec 19 17:57 bps_comp_print_reminders - /usr/local/mailman/archives/private/bps_comp_print_reminders lrwxr-xr-x 1 www www 60 Dec 19 17:56 bps_comps_print_announce - /usr/local/mailman/archives/private/bps_comps_print_announce dns1# cd /usr/local/mailman/archives/private/bps_comps_print_announce dns1# ls -l total 14 drwxrwsr-x 2 www www 512 Dec 28 15:54 2009-December -rw-rw-r-- 1 www www 2870 Dec 28 15:54 2009-December.txt -rw-rw-r-- 1 www www 1356 Dec 29 03:27 2009-December.txt.gz drwxrws--- 2 www www 512 Dec 28 15:54 database -rw-rw-r-- 1 www www 1110 Dec 28 15:54 index.html -rw-rw 1 www www 870 Dec 28 15:54 pipermail.pck dns1# Thanks in advance ___ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Archive access Forbidden
David Southwell wrote: Thank you in advance for replies. The list is now working fine however access to the archive is blocked [...] dns1# pwd /usr/local/mailman dns1# ls -l total 36 drwxrwsr-x 11 mailman mailman 2048 Dec 29 09:03 Mailman drwxrwsr-x 4 www www 512 Dec 28 13:07 archives This and everything subordinate to it needs to be group mailman. drwxrwsr-x 2 root mailman 1024 Dec 28 13:07 bin drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cgi-bin drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cron drwxrwsr-x 2 mailman mailman 512 Dec 28 15:54 data drwxrwsr-x 2 root mailman 512 Dec 28 13:07 icons drwxrwsr-x 6 mailman mailman 512 Dec 28 15:45 lists drwxrwsr-x 2 root mailman 512 Dec 29 14:00 locks drwxrwsr-x 2 mailman mailman 512 Dec 29 09:04 logs drwxrwsr-x 2 root mailman 512 Dec 28 13:07 mail drwxrwsr-x 37 root mailman 512 Dec 28 13:07 messages drwxrwsr-x 5 root mailman 512 Dec 28 13:07 pythonlib drwxrwsr-x 11 mailman mailman 512 Dec 28 15:54 qfiles drwxrwsr-x 2 root mailman 512 Dec 28 13:07 scripts drwxrwsr-x 2 root mailman 512 Dec 28 13:07 spam drwxrwsr-x 38 root mailman 512 Dec 28 13:07 templates drwxrwsr-x 4 root mailman 512 Dec 28 13:07 tests dns1# cd archives dns1# ls -l total 4 drwxrws--- 10 www www 512 Dec 28 15:45 private The owner of archives/private needs to be the user the web server runs as. I would think that would be 'www', but then I don't understand why public archive access doesn't work. See http://www.list.org/mailman-install/node9.html for info on archives/private. Normally, it is o+x, but if not, it needs to be owned by the web server user but still group mailman. check_perms should fix a lot of this, but you may also need to do chggrp -R mailman /usr/local/mailman/archives/ and possibly for d in `find /usr/local/mailman/archives/ -type d -print` ; do chmod g+s $d done With the ownership and permissions you have here, Mailman shouldn't be able to even store anything in the archives. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Archive access Forbidden
-Original Message- From: mailman-users-bounces+s.watkins=nhm.ac...@python.org [mailto:mailman-users-bounces+s.watkins=nhm.ac...@python.org] On Behalf Of David Southwell Sent: 29 December 2009 15:04 To: mailman-users@python.org Subject: [Mailman-Users] Archive access Forbidden with result: Forbidden You don't have permission to access/pipermail/bps_comps_print_announce/ on this server Attempt to view archives from Topic Section of the mailing list administration page using link for Go to list archives also fails Extract from httpd-error.log [Tue Dec 29 12:50:12 2009] [error] [client 62.49.197.51] attempt to invoke directory as script: /usr/local/mailman/cgi-bin/ [Tue Dec 29 12:50:47 2009] [error] [client 62.49.197.51] Symbolic link not allowed or link target not accessible: /usr/local/mailman/archives/public/bps_comps_print_announce, referer: http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce Extract from httpd.conf ScriptAlias /mailman /usr/local/mailman/cgi-bin Directory /usr/local/mailman Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all /Directory ScriptAlias /pipermail /usr/local/mailman/archives/public Directory /usr/local/mailman/archives/public Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off /Directory Hi, I'm guessing that the directory indexing mechanism of Apache is getting confused. The line ScriptAlias /pipermail /usr/local/mailman/archives/public tells apache that anything with a URI starting with /pipermail is a script, so Apache will take any call to that URI as a call for an exectuable. Looking at my local setup I see that the only indexing material in the 'archive/public' subdirectories are the file index.html. So you have to configure Apache to look for index.html as the indexing mechanism within a script only directory. Something like: Directory /usr/local/mailman/archives/public DirectoryIndex index.html /Directory should do the trick. Don't forget to restart Apache after adding that line. HTH, S Watkins -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Archive access Forbidden
Steff Watkins wrote: I'm guessing that the directory indexing mechanism of Apache is getting confused. The line ScriptAlias /pipermail /usr/local/mailman/archives/public tells apache that anything with a URI starting with /pipermail is a script, so Apache will take any call to that URI as a call for an exectuable. Good catch! I missed that. It should be Alias /pipermail /usr/local/mailman/archives/public not ScriptAlias. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Archive access Forbidden
Steff Watkins wrote: I'm guessing that the directory indexing mechanism of Apache is getting confused. The line ScriptAlias /pipermail /usr/local/mailman/archives/public tells apache that anything with a URI starting with /pipermail is a script, so Apache will take any call to that URI as a call for an exectuable. Good catch! I missed that. It should be Alias /pipermail /usr/local/mailman/archives/public not ScriptAlias. OK guys -- thank you everyone BUT BUT still no success I changed the entries in httpd.conf and restarted the server but still get the same result. As a matter of curiosity I tried http://www.vizion2000.net/pipermail which simply gave me a page Index of /pipermail . Parent Directory Following the link Parent Directory took me to http://www.vizion2000.net/ So we know the Alias pipermail line in httpd.conf is being read but we still get no further. It seems there must be something wrong with the httpd.conf so I am reposting it as it now stands: Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be All, None, or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all /Directory ScriptAlias /mailman /usr/local/mailman/cgi-bin Directory /usr/local/mailman Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all /Directory Alias /pipermail /usr/local/mailman/archives/public Directory /usr/local/mailman/archives/public/ Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off DirectoryIndex index.html /Directory -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Archive access Forbidden
-Original Message- From: David Southwell [mailto:da...@vizion2000.net] Sent: 29 December 2009 16:23 To: mailman-users@python.org Cc: Mark Sapiro; Steff Watkins Subject: Re: [Mailman-Users] Archive access Forbidden OK guys -- thank you everyone BUT BUT Alias /pipermail /usr/local/mailman/archives/public Directory /usr/local/mailman/archives/public/ Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off DirectoryIndex index.html /Directory Errm... suggestion... tidy up! :) AFAIK Apache doesn't allow you to just sequently add Options lines together. If I've read it correctly, the Options Indexes MultiViews would cancel the Options FollowSymLinks ExecCGI as it is a later instruction.. I could be wrong on that, been a while since I went grubbing around in Apache's mechanics. My own setup for this looks like: Alias /pipermail/ /usr/local/mailman/archives/public/ Directory /usr/local/mailman/archives/public Options FollowSymLinks AllowOverride None Order allow,deny Allow from all /Directory No Indexes, no Multiviews and definitely No ExecCGI. Something just makes me feels queasy about making a web archive of a public mailing list in a way that it might be possible to have someone include a script in the mail that may have an ever so slight chance of executing. You're not running SSIs, are you? Really, make life as easy as possible for yourself. K.I.S.S... Kiss It Simple, Sunshine! As simple as you can possibly get away with. One other problem with this is that we only see the relevent part of the httpd.conf file. I am not knocking you for that, security minded people work on the idea of least-disclosed the better. Problem is that there may be a directive in some other part of the httpd.conf file which totally banjaxs your mailman setup. Are you in a position to run a test instance of the webserver, say on something like port 8080 with a totally plain-vanilla stock httpd.conf file? You could then inject the mailman configuration into that and see what is needed to make it work. If you then inject those changes into your standard (port 80) httpd.conf and they still fail, you would at least know that there was some directive in the original webserver setup that was playing havok with your mailman setup. Regards, S Watkins -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Archive access Forbidden
Steff Watkins wrote: From: David Southwell [mailto:da...@vizion2000.net]=20 OK guys -- thank you everyone BUT BUT Alias /pipermail /usr/local/mailman/archives/public Directory /usr/local/mailman/archives/public/ Options FollowSymLinks ExecCGI AllowOverride None Order allow,deny Allow from all Options Indexes MultiViews AddDefaultCharset Off DirectoryIndex index.html /Directory Errm... suggestion... tidy up! :) AFAIK Apache doesn't allow you to just sequently add Options lines together. If I've read it correctly, the Options Indexes MultiViews would cancel the Options FollowSymLinks ExecCGI as it is a later instruction.. I could be wrong on that, been a while since I went grubbing around in Apache's mechanics. That is correct. You can add options with a + as in Options FollowSymLinks ExecCGI Options +Indexes +MultiViews but without + to add or - to take away, The options will replace any prior options. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org