Private Archive Permissions Are Incorrect

Bug #543148 reported by Andre Naef on 2010-03-21
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
mailman (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: mailman

This bug report is for:

Description: Ubuntu lucid (development branch)
Release: 10.04

mailman:
  Installed: 1:2.1.13-1
  Candidate: 1:2.1.13-1

It would appear that there is a permission problem for the directory /var/lib/mailman/archives/private:

drwxrws--- 8 root www-data 4096 2010-03-21 02:40 private

By default, this directory is created with group www-data. This prevents Mailman scripts from accessing the archive as these scripts are run with set group ID "list". As a result, nothing is written into the archive. A typical error from /var/log/mailman/error looks like this:

Mar 21 02:38:19 2010 (29405) Traceback (most recent call last):
  File "/var/lib/mailman/Mailman/Queue/Runner.py", line 120, in _oneloop
    self._onefile(msg, msgdata)
  File "/var/lib/mailman/Mailman/Queue/Runner.py", line 191, in _onefile
    keepqueued = self._dispose(mlist, msg, msgdata)
  File "/var/lib/mailman/Mailman/Queue/ArchRunner.py", line 73, in _dispose
    mlist.ArchiveMail(msg)
  File "/var/lib/mailman/Mailman/Archiver/Archiver.py", line 198, in ArchiveMail
    self.__archive_to_mbox(msg)
  File "/var/lib/mailman/Mailman/Archiver/Archiver.py", line 167, in __archive_to_mbox
    mbox = self.__archive_file(afn)
  File "/var/lib/mailman/Mailman/Archiver/Archiver.py", line 155, in __archive_file
    return Mailbox.Mailbox(open(afn, 'a+'))
IOError: [Errno 13] Permission denied: '/var/lib/mailman/archives/private/test.mbox/test.mbox'

Andre Naef (andre-naef) wrote :

To clarify, "Mailman scripts" refers to the Mailman CGI scripts. One use of these scripts is to moderate postings which in turn may cause a write into the archive when a posting is accepted.

Chuck Short (zulcss) wrote :

Are you using suexec?

Changed in mailman (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Andre Naef (andre-naef) wrote :

No. It is just the the CGI scripts that have the sgid flag asserted.

Ketil Malde (ketil-ii) wrote :

What is the suggested workaround? 'sudo chmod list.list -R /var/lib/mailman/archives' ?

Changed in mailman (Ubuntu):
status: Incomplete → Confirmed
Attila Lendvai (attila-lendvai) wrote :

i have 1:2.1.13-4 on 10.10

$ ll -d /var/lib/mailman/archives/
drwxrwsr-x 4 root list 4096 2010-10-08 16:57 /var/lib/mailman/archives/

but the CGI scripts complaint when it's *not* run with the 'www-data' group?! seems to be the opposite as in the original bug description with version 1:2.1.13-1.

it seemed to be logical to me to run teh cgi scripts with list:list at first, and i was surprised to read the error that it needs to be www-data.

Attila Lendvai (attila-lendvai) wrote :

ignore my previous confusion about www-data and cgi-scripts: since then i got to know that the scripts are setgid list.

but this prints a ton of directories that have the wrong permission after installing the package:

$ sudo -u list -g list /usr/lib/mailman/bin/check_perms | less

to fix the permissions run:

$ sudo /usr/lib/mailman/bin/check_perms -f

(will keep on complaining for some symlinks, but it's safe to ignore, because it fixes the target but checks the symlinks themselves)

I can also confirm the problem on Ubuntu 10.04, where the archives directories are owned by root and so mailman can not write to them.

$ ls -al /var/lib/mailman/archives/
total 16
drwxrwsr-x 4 root list 4096 2011-04-01 16:58 .
drwxrwsr-x 8 root list 4096 2011-04-01 16:58 ..
drwxrws--- 2 root www-data 4096 2011-02-17 15:31 private
drwxrwsr-x 2 root list 4096 2011-02-17 15:31 public

Running 'sudo /usr/lib/mailman/bin/check_perms -f' fixes the permissions by changing them to list:list, but this needs to be done after each new mailing lists is created.

Tom Browder (tbrowder) wrote :

I also confirm the bug exists on Ubuntu 10.04 LTS (Lucid Lynx), but I had to do this manually to get access to the archives via the mailman web interface:

  sudo chmod o+rx /var/lib/mailman/archives/private

And that was recommended by an experienced user on the mailman mailing list.

Note also that, for me, adding new lists did not then change the perms back to the erroneous ones. (I added a new list with the newlist command).

Bryan Richter (bryan-richter) wrote :

This affected me on 14.04, too. Luckily, after running this command, both existing lists and new lists had the right permissions:

    sudo chgrp -R list /var/lib/mailman/archives/private

Bryan Richter (bryan-richter) wrote :

Heh, after my last command, public archives were no longer available through apache. These *two* command should fix everything up:

    sudo chgrp -R list /var/lib/mailman/archives/private
    sudo chown www-data /var/lib/mailman/archives/private

The fix, I think, would involve making sure /var/lib/mailman/archives/private is instantiated with www-data:list ownership, and rwxrws--- permissions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers