Bug 251187

Summary: Fedora 7's mailman and httpd binaries cannot work together
Product: [Fedora] Fedora Reporter: Stephen Winnall <steve>
Component: mailmanAssignee: Tomas Smetana <tsmetana>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-23 06:14:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Stephen Winnall 2007-08-07 17:04:00 UTC 
Description of problem:

mailman-21.1.9-5
httpd-2.2.4-4.1

Mailman needs to run some wrappers as CGIs with setgid. These wrappers expect to be run in the 
group "apache".

Httpd uses suexec to run CGIs with setgid. suexec -V gives the following output:

 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="public_html"

It can be seen that the minimum permissible UID and GID for a CGI with setuid/setgid is 500 and 100 
respectively. The group "apache" required by mailman has UID 48.

Since the group "apache" is hard-coded in mailman and the permissible UIDs and GIDs are hard-coded 
in httpd, these can never work together.
Comment 1 Tomas Smetana 2007-08-08 07:41:28 UTC 
I probably don't understand what do you mean by "cannot work together". They
obviously do. Or do you want to run Mailman in a virtual host using SuExec? This
is the thing that is not solved too well even in the upstream Mailman AFAIK, and
requires Mailman to be installed somewhere under suexec_docroot. I really don't
understand what you expect me to do.
Comment 2 Stephen Winnall 2007-08-08 10:37:36 UTC 
Sorry, I was not precise enough.

Yes, I was trying to run Mailman in a virtual host using suexec. I haven't tried any other variant because 
it wouldn't fit my needs. I need to store my mail archives privately.

I'm not sure if this is a Mailman or an Apache HTTPD issue. I tried using Mailman and Apache straight 
out of the box, and everything worked except web access to (private) mail archives. Running 
"check_perms -f" didn't help. Access to public archives (which I can't use) worked OK.

I therefore assumed that I had to use suexec. I got quite a long way down the line, but failed in the end 
because of the reasons given in the original posting. I put all of /var/lib/mailman and also 
/usr/lib/mailman/cgi-bin under suexec_docroot (/var/www) and created a soft link from 
/usr/lib/mailman/cgi-bin to /var/www/mailman/cgi-bin.

This put me into the situation where Mailman was expecting its wrappers to be run in group apache 
(GID 48). But suexec will only accept groups >= 100. I tried making group apache = 101 system-wide, 
but then suexec didn't work.

It seems to me that there are two possible ways of solving this:

1) the user apache and group apache need to be given values >= 500 and >= 100 respectively; OR
2) Mailman needs to be compiled with a different user/group (>=500, >=100) for its wrappers (but 
then suexec would have to be built with these too).

Obviously, I could download the source and hack this myself; but I'd like to be able to get updates with 
the minimum effort.

I hope this is a bit clearer: let me know if you need any more information.
Comment 3 Tomas Smetana 2007-08-22 11:23:27 UTC 
I think UIDs >= 500 were reserved for "ordinary" user accounts not for services
(therefore the hardcoded values in suexec) and any of the suggested changes
might be considered a security issue...  I'm really not sure how to help you.
Comment 4 Stephen Winnall 2007-08-22 21:27:41 UTC 
I've solved this issue for myself by not using Mailman any more, so I suggest we close the issue.

Steve