Re: [Mailman-Users] 'Read-only file system' when processing posts
At Thu, 1 Mar 2018 19:31:50 -0800 Mark Sapiro wrote: > > On 03/01/2018 06:53 PM, Jesse B. Crawford wrote: > > > > The one idea I've thought of so far is a chroot issue since parts of > > Postfix run chrooted, but my understanding is that the 'local' delivery > > is not run in a chroot, and checking the postfix master.cf bears this > > out as it is marked 'n' in the chroot column. I can see from the > > logs/bounces that the local delivery binary is the one that's invoking > > mailman and encountering the error. > > > Yes, and the documentation for 'local' is very clear that it will run > the command as the user that owns the aliases.db file. > > The only thing I can think of is that when Postfix invokes the > /usr/local/mailman/mail/mailman command, the SETGID bit is not being > honored for some reason, but even if that were the case it should be > running as group mailman at that point anyway so the effective gid > should be Mailman's in any case. > > It clearly has something to do with Postfix being somehow different from > everything else, but I'm at a loss to understand what that might be. > One other thing to consider is SELinux... If the SELinux contex is set wrong, you might have this sort of problem. -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] 'Read-only file system' when processing posts
On 03/01/2018 06:53 PM, Jesse B. Crawford wrote: > > The one idea I've thought of so far is a chroot issue since parts of > Postfix run chrooted, but my understanding is that the 'local' delivery > is not run in a chroot, and checking the postfix master.cf bears this > out as it is marked 'n' in the chroot column. I can see from the > logs/bounces that the local delivery binary is the one that's invoking > mailman and encountering the error. Yes, and the documentation for 'local' is very clear that it will run the command as the user that owns the aliases.db file. The only thing I can think of is that when Postfix invokes the /usr/local/mailman/mail/mailman command, the SETGID bit is not being honored for some reason, but even if that were the case it should be running as group mailman at that point anyway so the effective gid should be Mailman's in any case. It clearly has something to do with Postfix being somehow different from everything else, but I'm at a loss to understand what that might be. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] 'Read-only file system' when processing posts
On 2018-03-01 12:50, Mark Sapiro wrote: > On 03/01/2018 11:22 AM, Jesse B. Crawford wrote: >> Yes, I can create rules by hand fine including as the mailman user. > > > ??? > > We're not talking about creating rules. We're talking about creating > queue files in /usr/local/mailman/qfiles/in/ Sorry, this was a typo (or perhaps rather a brain-o). I mean files. >> I've also checked the ownership and group on both aliases and the >> virtual domain map. I'm still wondering if postfix might be using the >> wrong user or group but I'm not sure how best to test that. > > > Postfix pipes the mail to "/usr/local/mailman/mail/mailman post > listname" as the user and primary group of the owner of the aliases.db > file in which it finds the alias. Presumably, the group is correct or > the wrapper at /usr/local/mailman/mail/mailman would be complaining of a > group mismatch error, and presumably this wrapper is SETGID and > Mailman's group so that it actually runs with Mailman's group as > effective group.> > Thus, the error is still a mystery to me assuming that Mailman's group > can create files in /usr/local/mailman/qfiles/in/ Yes, I was thinking that the group must be correct since there is logic to check that. I have also manually checked that the mailman group can create files there. > One thing you might check is whether Mailman can create queue entries. > You might run as the mailman user, Mailman's > > bin/inject -l LISTNAME /path/to/file/containing/test/message > > This will create an entry in /usr/local/mailman/qfiles/in/ and Mailman's > processing of this will remove that and make entries in > /usr/local/mailman/qfiles/out/ and /usr/local/mailman/qfiles/archive/ > which will in turn be processed and removed. Does all this work? This works fine, and in fact the injected test message is processed and sent out properly. This was after suing to the mailman user, which is only in group mailman. I've also tried from unrelated users that I placed in the mailman group, and still had it succeed. I've also tried running /usr/local/mailman/mail/mailman as Postfix and etc. and that's succeeded. This seems to be something quite specific about how postfix is invoking the script. The one idea I've thought of so far is a chroot issue since parts of Postfix run chrooted, but my understanding is that the 'local' delivery is not run in a chroot, and checking the postfix master.cf bears this out as it is marked 'n' in the chroot column. I can see from the logs/bounces that the local delivery binary is the one that's invoking mailman and encountering the error. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] 'Read-only file system' when processing posts
On 03/01/2018 11:22 AM, Jesse B. Crawford wrote: > Yes, I can create rules by hand fine including as the mailman user. ??? We're not talking about creating rules. We're talking about creating queue files in /usr/local/mailman/qfiles/in/ > I've also checked the ownership and group on both aliases and the > virtual domain map. I'm still wondering if postfix might be using the > wrong user or group but I'm not sure how best to test that. Postfix pipes the mail to "/usr/local/mailman/mail/mailman post listname" as the user and primary group of the owner of the aliases.db file in which it finds the alias. Presumably, the group is correct or the wrapper at /usr/local/mailman/mail/mailman would be complaining of a group mismatch error, and presumably this wrapper is SETGID and Mailman's group so that it actually runs with Mailman's group as effective group. Thus, the error is still a mystery to me assuming that Mailman's group can create files in /usr/local/mailman/qfiles/in/ One thing you might check is whether Mailman can create queue entries. You might run as the mailman user, Mailman's bin/inject -l LISTNAME /path/to/file/containing/test/message This will create an entry in /usr/local/mailman/qfiles/in/ and Mailman's processing of this will remove that and make entries in /usr/local/mailman/qfiles/out/ and /usr/local/mailman/qfiles/archive/ which will in turn be processed and removed. Does all this work? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] 'Read-only file system' when processing posts
Yes, I can create rules by hand fine including as the mailman user. I've also checked the ownership and group on both aliases and the virtual domain map. I'm still wondering if postfix might be using the wrong user or group but I'm not sure how best to test that. On March 1, 2018 11:49:01 AM Dimitri Maziuk wrote: On 03/01/2018 12:06 PM, Mark Sapiro wrote: The one thing you can check (I don't think check_perms checks it) is mailman's aliases.db file MUST be owned by mailman. Postfix runs the pipe as the user that owns the aliases.db file in which the pipe alias is found. See DELIVERY RIGHTS in 'man local'. I've seem disk/fs errors causing "read only filesystem", but then you get the same error creating a file in there by hand. Which I'm assuming is not the case here. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/jesse%40jbcrawford.us -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] 'Read-only file system' when processing posts
On 03/01/2018 12:06 PM, Mark Sapiro wrote: > The one thing you can check (I don't think check_perms checks it) is > mailman's aliases.db file MUST be owned by mailman. Postfix runs the > pipe as the user that owns the aliases.db file in which the pipe alias > is found. See DELIVERY RIGHTS in 'man local'. I've seem disk/fs errors causing "read only filesystem", but then you get the same error creating a file in there by hand. Which I'm assuming is not the case here. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] 'Read-only file system' when processing posts
On 02/28/2018 09:26 PM, Jesse B. Crawford wrote: > > When I try to email to a list, the following error is produced: ... >File "/usr/local/mailman/Mailman/Queue/Switchboard.py", line 136, in > enqueue fp = open(tmpfile, 'w') > IOError: [Errno 30] Read-only file system: > '/usr/local/mailman/qfiles/in/1519878645.717417+32700e28bfadb80bc2aa1db465be6ad2122f6a69.pck.tmp' Normally that means the file system containing /usr/local/mailman/qfiles/in/ is mounted read-only, but you probably knew that. > As far as other potential causes, selinux is disabled on this machine > and the file system looks fine as far as space and inodes available. > Plenty of other things are writing in var without trouble. I was going to suggest SELinux, but you've already covered that. The one thing you can check (I don't think check_perms checks it) is mailman's aliases.db file MUST be owned by mailman. Postfix runs the pipe as the user that owns the aliases.db file in which the pipe alias is found. See DELIVERY RIGHTS in 'man local'. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
