Red Hat Bugzilla – Bug 251187
Fedora 7's mailman and httpd binaries cannot work together
Last modified: 2007-11-30 17:12:12 EST
Description of problem:
Mailman needs to run some wrappers as CGIs with setgid. These wrappers expect to be run in the
Httpd uses suexec to run CGIs with setgid. suexec -V gives the following output:
It can be seen that the minimum permissible UID and GID for a CGI with setuid/setgid is 500 and 100
respectively. The group "apache" required by mailman has UID 48.
Since the group "apache" is hard-coded in mailman and the permissible UIDs and GIDs are hard-coded
in httpd, these can never work together.
I probably don't understand what do you mean by "cannot work together". They
obviously do. Or do you want to run Mailman in a virtual host using SuExec? This
is the thing that is not solved too well even in the upstream Mailman AFAIK, and
requires Mailman to be installed somewhere under suexec_docroot. I really don't
understand what you expect me to do.
Sorry, I was not precise enough.
Yes, I was trying to run Mailman in a virtual host using suexec. I haven't tried any other variant because
it wouldn't fit my needs. I need to store my mail archives privately.
I'm not sure if this is a Mailman or an Apache HTTPD issue. I tried using Mailman and Apache straight
out of the box, and everything worked except web access to (private) mail archives. Running
"check_perms -f" didn't help. Access to public archives (which I can't use) worked OK.
I therefore assumed that I had to use suexec. I got quite a long way down the line, but failed in the end
because of the reasons given in the original posting. I put all of /var/lib/mailman and also
/usr/lib/mailman/cgi-bin under suexec_docroot (/var/www) and created a soft link from
/usr/lib/mailman/cgi-bin to /var/www/mailman/cgi-bin.
This put me into the situation where Mailman was expecting its wrappers to be run in group apache
(GID 48). But suexec will only accept groups >= 100. I tried making group apache = 101 system-wide,
but then suexec didn't work.
It seems to me that there are two possible ways of solving this:
1) the user apache and group apache need to be given values >= 500 and >= 100 respectively; OR
2) Mailman needs to be compiled with a different user/group (>=500, >=100) for its wrappers (but
then suexec would have to be built with these too).
Obviously, I could download the source and hack this myself; but I'd like to be able to get updates with
the minimum effort.
I hope this is a bit clearer: let me know if you need any more information.
I think UIDs >= 500 were reserved for "ordinary" user accounts not for services
(therefore the hardcoded values in suexec) and any of the suggested changes
might be considered a security issue... I'm really not sure how to help you.
I've solved this issue for myself by not using Mailman any more, so I suggest we close the issue.