Re: [Mailman-Users] alternative to setgid
Thanks for your responses.. Yesterday I finally figured out how to get the nfs mount working properly and mailman is up and running on the new server! Blame it on my lack of nfs expertise (I was trying mount in an area where the suid option was never going to work) and trying to work on this problem without enough caffeine.. Renee On Mon, May 4, 2009 at 11:16 PM, Brad Knowles b...@shub-internet.orgwrote: on 5/4/09 5:44 PM, Mark Sapiro said: I have determined that mailman is being NFS mounted on the web server with the nosuid option and I can't for the life of me figure out how to make it mount with the suid option set.. I don't know the answer to that, but my guess is that it will be easier to find this answer than to work around it. That should be pretty simple. Just remove the nosuid option from the list of mount options. If there is no nosuid option in your list of mount options, then the filesystem is being exported as nosuid by the fileserver, and you'll have to talk to the administrator of the fileserver to see if they will change that for you. -- Brad Knowles b...@shub-internet.orgIf you like Jazz/RB guitar, check out LinkedIn Profile: my friend bigsbytracks on YouTube at http://tinyurl.com/y8kpxuhttp://preview.tinyurl.com/bigsbytracks -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] alternative to setgid
Renee wrote: I've set up a new mailman installation on a new Solaris 10 server. I am attempting to share out the mailman directory via NFS to another Solaris 10 server running apache for web maintenance purposes. Theoretically, this should work, but I'm getting the dreaded setuid execution not allowed error on my web server when I try to go to /mailman/listinfo or /mailman/admin. I have determined that mailman is being NFS mounted on the web server with the nosuid option and I can't for the life of me figure out how to make it mount with the suid option set.. I don't know the answer to that, but my guess is that it will be easier to find this answer than to work around it. So.. I'm wondering if there is a way around the whole setgid permission deal with mailman? I am not sure I really understand why it needs to be setgid and what would be the consequences of doing something alternative? The CGI wrappers are SETGID because Mailman's security model is entirely based on everything running with effective group 'mailman' and that group having permissions. And, if I were to remove the setgid bits, how would I set the permissions appropriately for both best security and accessibility? You might be able to 'mount' the NFS mailman tree on the web server with the setuid= or setgid= option on the mount command to set the user or group of the tree to be that of the web server. That way the web server would be able to read and write the Mailman tree, but there probably would be issues preventing this from working. I.e., the first thing I forsee is when the web admin interface updates a list, there is actually a creation of a config.pck.tmp.host.pid followed by renames of config.pck to config.pck.last and config.pck.tmp.host.pid to config.pck. Thus, the new config.pck might wind up with user:group of the web server rendering it unusable by the queue runners on the mail machine. Even if it worked, you would open the possibility of the web server having access to Mailman files without going through Mailman CGIs, thus opening security holes. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] alternative to setgid
on 5/4/09 5:44 PM, Mark Sapiro said: I have determined that mailman is being NFS mounted on the web server with the nosuid option and I can't for the life of me figure out how to make it mount with the suid option set.. I don't know the answer to that, but my guess is that it will be easier to find this answer than to work around it. That should be pretty simple. Just remove the nosuid option from the list of mount options. If there is no nosuid option in your list of mount options, then the filesystem is being exported as nosuid by the fileserver, and you'll have to talk to the administrator of the fileserver to see if they will change that for you. -- Brad Knowles b...@shub-internet.orgIf you like Jazz/RB guitar, check out LinkedIn Profile: my friend bigsbytracks on YouTube at http://tinyurl.com/y8kpxuhttp://preview.tinyurl.com/bigsbytracks -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Users] alternative to setgid
I've set up a new mailman installation on a new Solaris 10 server. I am attempting to share out the mailman directory via NFS to another Solaris 10 server running apache for web maintenance purposes. Theoretically, this should work, but I'm getting the dreaded setuid execution not allowed error on my web server when I try to go to /mailman/listinfo or /mailman/admin. I have determined that mailman is being NFS mounted on the web server with the nosuid option and I can't for the life of me figure out how to make it mount with the suid option set.. So.. I'm wondering if there is a way around the whole setgid permission deal with mailman? I am not sure I really understand why it needs to be setgid and what would be the consequences of doing something alternative? And, if I were to remove the setgid bits, how would I set the permissions appropriately for both best security and accessibility? Also, if anyone has any thoughts about the NFS problem, I'd appreciate the input. I feel like I'm overlooking something simple as I have another NFS server that exports suid no problem, but I can't see the differences between the way the two servers are set up. Thanks, Renee -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
