Out-of-order install instructions (permissions)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Quoting:
Warning: You want to be very sure
that the user id under which your
CGI scripts run is not in the
mailman group you created above,
otherwise private archives will
be accessible to anyone.
Problem #1: this is the first point in the
install instructions where this is so clearly
stated, far after the configure and make steps.
Yeah, sure, once upon a time we were supposed
to read all the instructions first before doing
anything, but more people will install and use
the software if you just put the steps in the
right order in the documentation. Lots of other
products manage to get this right.
Problem #2: HOW IS THIS ACCOMPLISHED? This
is important, right? Why not spend a few words
on making sure people get it right?
Problem #3: This looks like exactly the sort
of boring mechanical thing that a computer is
good at. Why is the human installer being
asked to check this?
[http://
Originator: NO
Problem #1 - It seems to me this is in the right place. It is under
'setting up your web server' which is where you configure the user under
which Mailman CGIs will run.
Problem #2 - Consult your web server documentation. Normally, your web
server is not running Mailman GGIs as the mailman user anyway unless you go
out of your way to make it do so.
Problem #3 - We have no idea what web server you are running or how to
find and parse its configuration file(s), so how can we check this
mechanically? We do check at run time in the CGI wrapper to be sure that
the wrapper is invoked with the group configured with --with-cgi-gid.