Bug 251187 - Fedora 7's mailman and httpd binaries cannot work together
Fedora 7's mailman and httpd binaries cannot work together
Product: Fedora
Classification: Fedora
Component: mailman (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Smetana
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-08-07 13:04 EDT by Stephen Winnall
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-23 02:14:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Winnall 2007-08-07 13:04:00 EDT
Description of problem:


Mailman needs to run some wrappers as CGIs with setgid. These wrappers expect to be run in the 
group "apache".

Httpd uses suexec to run CGIs with setgid. suexec -V gives the following output:

 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="public_html"

It can be seen that the minimum permissible UID and GID for a CGI with setuid/setgid is 500 and 100 
respectively. The group "apache" required by mailman has UID 48.

Since the group "apache" is hard-coded in mailman and the permissible UIDs and GIDs are hard-coded 
in httpd, these can never work together.
Comment 1 Tomas Smetana 2007-08-08 03:41:28 EDT
I probably don't understand what do you mean by "cannot work together". They
obviously do. Or do you want to run Mailman in a virtual host using SuExec? This
is the thing that is not solved too well even in the upstream Mailman AFAIK, and
requires Mailman to be installed somewhere under suexec_docroot. I really don't
understand what you expect me to do.
Comment 2 Stephen Winnall 2007-08-08 06:37:36 EDT
Sorry, I was not precise enough.

Yes, I was trying to run Mailman in a virtual host using suexec. I haven't tried any other variant because 
it wouldn't fit my needs. I need to store my mail archives privately.

I'm not sure if this is a Mailman or an Apache HTTPD issue. I tried using Mailman and Apache straight 
out of the box, and everything worked except web access to (private) mail archives. Running 
"check_perms -f" didn't help. Access to public archives (which I can't use) worked OK.

I therefore assumed that I had to use suexec. I got quite a long way down the line, but failed in the end 
because of the reasons given in the original posting. I put all of /var/lib/mailman and also 
/usr/lib/mailman/cgi-bin under suexec_docroot (/var/www) and created a soft link from 
/usr/lib/mailman/cgi-bin to /var/www/mailman/cgi-bin.

This put me into the situation where Mailman was expecting its wrappers to be run in group apache 
(GID 48). But suexec will only accept groups >= 100. I tried making group apache = 101 system-wide, 
but then suexec didn't work.

It seems to me that there are two possible ways of solving this:

1) the user apache and group apache need to be given values >= 500 and >= 100 respectively; OR
2) Mailman needs to be compiled with a different user/group (>=500, >=100) for its wrappers (but 
then suexec would have to be built with these too).

Obviously, I could download the source and hack this myself; but I'd like to be able to get updates with 
the minimum effort.

I hope this is a bit clearer: let me know if you need any more information.
Comment 3 Tomas Smetana 2007-08-22 07:23:27 EDT
I think UIDs >= 500 were reserved for "ordinary" user accounts not for services
(therefore the hardcoded values in suexec) and any of the suggested changes
might be considered a security issue...  I'm really not sure how to help you.
Comment 4 Stephen Winnall 2007-08-22 17:27:41 EDT
I've solved this issue for myself by not using Mailman any more, so I suggest we close the issue.


Note You need to log in before you can comment on or make changes to this bug.