|Summary:||Fedora 7's mailman and httpd binaries cannot work together|
|Product:||[Fedora] Fedora||Reporter:||Stephen Winnall <steve>|
|Component:||mailman||Assignee:||Tomas Smetana <tsmetana>|
|Status:||CLOSED CANTFIX||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-08-23 06:14:58 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Stephen Winnall 2007-08-07 17:04:00 UTC
Description of problem: mailman-21.1.9-5 httpd-2.2.4-4.1 Mailman needs to run some wrappers as CGIs with setgid. These wrappers expect to be run in the group "apache". Httpd uses suexec to run CGIs with setgid. suexec -V gives the following output: -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_EXEC="/var/log/httpd/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX="public_html" It can be seen that the minimum permissible UID and GID for a CGI with setuid/setgid is 500 and 100 respectively. The group "apache" required by mailman has UID 48. Since the group "apache" is hard-coded in mailman and the permissible UIDs and GIDs are hard-coded in httpd, these can never work together.
Comment 1 Tomas Smetana 2007-08-08 07:41:28 UTC
I probably don't understand what do you mean by "cannot work together". They obviously do. Or do you want to run Mailman in a virtual host using SuExec? This is the thing that is not solved too well even in the upstream Mailman AFAIK, and requires Mailman to be installed somewhere under suexec_docroot. I really don't understand what you expect me to do.
Comment 2 Stephen Winnall 2007-08-08 10:37:36 UTC
Sorry, I was not precise enough. Yes, I was trying to run Mailman in a virtual host using suexec. I haven't tried any other variant because it wouldn't fit my needs. I need to store my mail archives privately. I'm not sure if this is a Mailman or an Apache HTTPD issue. I tried using Mailman and Apache straight out of the box, and everything worked except web access to (private) mail archives. Running "check_perms -f" didn't help. Access to public archives (which I can't use) worked OK. I therefore assumed that I had to use suexec. I got quite a long way down the line, but failed in the end because of the reasons given in the original posting. I put all of /var/lib/mailman and also /usr/lib/mailman/cgi-bin under suexec_docroot (/var/www) and created a soft link from /usr/lib/mailman/cgi-bin to /var/www/mailman/cgi-bin. This put me into the situation where Mailman was expecting its wrappers to be run in group apache (GID 48). But suexec will only accept groups >= 100. I tried making group apache = 101 system-wide, but then suexec didn't work. It seems to me that there are two possible ways of solving this: 1) the user apache and group apache need to be given values >= 500 and >= 100 respectively; OR 2) Mailman needs to be compiled with a different user/group (>=500, >=100) for its wrappers (but then suexec would have to be built with these too). Obviously, I could download the source and hack this myself; but I'd like to be able to get updates with the minimum effort. I hope this is a bit clearer: let me know if you need any more information.
Comment 3 Tomas Smetana 2007-08-22 11:23:27 UTC
I think UIDs >= 500 were reserved for "ordinary" user accounts not for services (therefore the hardcoded values in suexec) and any of the suggested changes might be considered a security issue... I'm really not sure how to help you.
Comment 4 Stephen Winnall 2007-08-22 21:27:41 UTC
I've solved this issue for myself by not using Mailman any more, so I suggest we close the issue. Steve