Private Archive Permissions Are Incorrect

Bug #543148 reported by Andre Naef
This bug affects 6 people
Affects Status Importance Assigned to Milestone
mailman (Ubuntu)

Bug Description

Binary package hint: mailman

This bug report is for:

Description: Ubuntu lucid (development branch)
Release: 10.04

  Installed: 1:2.1.13-1
  Candidate: 1:2.1.13-1

It would appear that there is a permission problem for the directory /var/lib/mailman/archives/private:

drwxrws--- 8 root www-data 4096 2010-03-21 02:40 private

By default, this directory is created with group www-data. This prevents Mailman scripts from accessing the archive as these scripts are run with set group ID "list". As a result, nothing is written into the archive. A typical error from /var/log/mailman/error looks like this:

Mar 21 02:38:19 2010 (29405) Traceback (most recent call last):
  File "/var/lib/mailman/Mailman/Queue/", line 120, in _oneloop
    self._onefile(msg, msgdata)
  File "/var/lib/mailman/Mailman/Queue/", line 191, in _onefile
    keepqueued = self._dispose(mlist, msg, msgdata)
  File "/var/lib/mailman/Mailman/Queue/", line 73, in _dispose
  File "/var/lib/mailman/Mailman/Archiver/", line 198, in ArchiveMail
  File "/var/lib/mailman/Mailman/Archiver/", line 167, in __archive_to_mbox
    mbox = self.__archive_file(afn)
  File "/var/lib/mailman/Mailman/Archiver/", line 155, in __archive_file
    return Mailbox.Mailbox(open(afn, 'a+'))
IOError: [Errno 13] Permission denied: '/var/lib/mailman/archives/private/test.mbox/test.mbox'

Revision history for this message
Andre Naef (andre-naef) wrote :

To clarify, "Mailman scripts" refers to the Mailman CGI scripts. One use of these scripts is to moderate postings which in turn may cause a write into the archive when a posting is accepted.

Revision history for this message
Chuck Short (zulcss) wrote :

Are you using suexec?

Changed in mailman (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Andre Naef (andre-naef) wrote :

No. It is just the the CGI scripts that have the sgid flag asserted.

Revision history for this message
Ketil Malde (ketil-ii) wrote :

What is the suggested workaround? 'sudo chmod list.list -R /var/lib/mailman/archives' ?

Changed in mailman (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Attila Lendvai (attila-lendvai) wrote :

i have 1:2.1.13-4 on 10.10

$ ll -d /var/lib/mailman/archives/
drwxrwsr-x 4 root list 4096 2010-10-08 16:57 /var/lib/mailman/archives/

but the CGI scripts complaint when it's *not* run with the 'www-data' group?! seems to be the opposite as in the original bug description with version 1:2.1.13-1.

it seemed to be logical to me to run teh cgi scripts with list:list at first, and i was surprised to read the error that it needs to be www-data.

Revision history for this message
Attila Lendvai (attila-lendvai) wrote :

ignore my previous confusion about www-data and cgi-scripts: since then i got to know that the scripts are setgid list.

but this prints a ton of directories that have the wrong permission after installing the package:

$ sudo -u list -g list /usr/lib/mailman/bin/check_perms | less

to fix the permissions run:

$ sudo /usr/lib/mailman/bin/check_perms -f

(will keep on complaining for some symlinks, but it's safe to ignore, because it fixes the target but checks the symlinks themselves)

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

I can also confirm the problem on Ubuntu 10.04, where the archives directories are owned by root and so mailman can not write to them.

$ ls -al /var/lib/mailman/archives/
total 16
drwxrwsr-x 4 root list 4096 2011-04-01 16:58 .
drwxrwsr-x 8 root list 4096 2011-04-01 16:58 ..
drwxrws--- 2 root www-data 4096 2011-02-17 15:31 private
drwxrwsr-x 2 root list 4096 2011-02-17 15:31 public

Running 'sudo /usr/lib/mailman/bin/check_perms -f' fixes the permissions by changing them to list:list, but this needs to be done after each new mailing lists is created.

Revision history for this message
Tom Browder (tbrowder) wrote :

I also confirm the bug exists on Ubuntu 10.04 LTS (Lucid Lynx), but I had to do this manually to get access to the archives via the mailman web interface:

  sudo chmod o+rx /var/lib/mailman/archives/private

And that was recommended by an experienced user on the mailman mailing list.

Note also that, for me, adding new lists did not then change the perms back to the erroneous ones. (I added a new list with the newlist command).

Revision history for this message
Bryan Richter (bryan-richter) wrote :

This affected me on 14.04, too. Luckily, after running this command, both existing lists and new lists had the right permissions:

    sudo chgrp -R list /var/lib/mailman/archives/private

Revision history for this message
Bryan Richter (bryan-richter) wrote :

Heh, after my last command, public archives were no longer available through apache. These *two* command should fix everything up:

    sudo chgrp -R list /var/lib/mailman/archives/private
    sudo chown www-data /var/lib/mailman/archives/private

The fix, I think, would involve making sure /var/lib/mailman/archives/private is instantiated with www-data:list ownership, and rwxrws--- permissions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers