Re: [Mailman-Users] Run mailman web interface as another user
On Thu, Mar 24, 2011 at 12:46:49PM -0700, Mark Sapiro wrote: If you install Mailman from source, you can set the expected group with the --with-cgi-gid= option to configure. Debian/Ubuntu may or may not provide a package specific way to do this for their Mailman package. apt-get source mailman (but do read the apt-get(8) manpage); I think both recent XSS fixes are now in the packaged version. If your hosts all have their own Mailman installation or at least their own set of cgi-bin wrappers, you should be able to get the wrappers to accept whatever group you want, but I don't know specifically how this would be done in the Debian/Ubuntu package. Defining the group and building should work, ISTR. -- See, you always knew where you were with a public-school traitor. Just look for the 16 year old pipe-smoking sodomite with a copy of EM Forster under his arm [ spooks ] s2, ep3 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Run mailman web interface as another user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I think this may have show up several times, but it looks like I can't find a definitive reason why Mailman web interface cannot be run as another user, other than www-data. In this case is an Ubuntu system 10.04 and we are deploying a server where each host is inside a user, apache is serving the host with that user identity and a proxy properly redirects requests. So, mailman web interface should be served by apache as user mymailman and scripts reports that is not possible we must use www-data. Anybody in the same situation? Thanks in advance, Néstor -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2LGvAACgkQ9dMz85462VskKwCfZ+7529YlwpwPzQdiP0lv81wP UosAnizAIg8d1PITlFlWlMxpwKSsqNeS =J4WQ -END PGP SIGNATURE- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Run mailman web interface as another user
Néstor Díaz Valencia wrote: I think this may have show up several times, but it looks like I can't find a definitive reason why Mailman web interface cannot be run as another user, other than www-data. In this case is an Ubuntu system 10.04 and we are deploying a server where each host is inside a user, apache is serving the host with that user identity and a proxy properly redirects requests. So, mailman web interface should be served by apache as user mymailman and scripts reports that is not possible we must use www-data. You are encountering a group mismatch error. See the FAQ at http://wiki.list.org/x/tYA9 for a more detailed explanation. Basically, The Mailman CGI web interface makes use of compiled binary wrappers in Mailman's cgi-bin directory which are group 'mailman' and SETGID so that the various CGI scripts run with effective group mailman. As a security measure, these wrappers are compiled to expect to be invoked by a process with a specific group id, in your case www-data, and will not run if invoked with a different group. If you install Mailman from source, you can set the expected group with the --with-cgi-gid= option to configure. Debian/Ubuntu may or may not provide a package specific way to do this for their Mailman package. The bottom line is for a single set of Mailman cgi-bin wrappers, they must always be invoked as the same group, but for standard GNU Mailman at least, that can be any group you want. One possible workaround for you is to set the primary group for your mymailman user(s) to www-data. If your hosts all have their own Mailman installation or at least their own set of cgi-bin wrappers, you should be able to get the wrappers to accept whatever group you want, but I don't know specifically how this would be done in the Debian/Ubuntu package. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
