[Pkg-mailman-hackers] Bug#371074: mailman: web interface gives internal server error

Rob Ristroph rgr at sdf.lonestar.org
Fri Jun 16 20:08:16 UTC 2006 

Hi,
        I now have this mailman working, installed from source
        (2.1.8), not from the debian package.

        I'm not in a position to be able to replicate this bug
        anymore, because the server is in use, so you might want to
        mark this bug accordingly -- I'll answer the questions below
        about the setup as best I can though.

        I am really grateful for the responses on this bug report,
        even if (especially if . . .) it was just a weird
        configuration on my part.  I am used to sending bug reports
        into a black hole, so it is really nice to have you guys follow
        up with me on it.

        Here is an overview of what I did to make it work from source,
        perhaps something here is helpful:

        made user/group mailman:
        groupadd mailman
        useradd -c "GNU Mailman" -s /no/shell -d /no/home -s mailman mailman

        cd /var/lib/mailman
        chgrp mailman .
        chmod a_rx,g+ws .

        ./configure --prefix=/usr/lib/mailman
        --with-var-prefix=/var/lib/mailman --with-cgi-gid=service
        --with-username=mailman --with-groupname=mailman
        --with-mail-gid=Debian-exim
        make clean
        make
        make install
        check_parms -f

        At this point I still got the error I mentioned in the first
        bug report, but I was getting helpful info from the mailman
        error log, which was a permissions denied message.  I removed
        the suexec, and got a "we've hit a bug!" message, but nothing
        in the error log -- I changed the error log to be writeable by
        everyone, and got a message about the config.pck of one of my
        pre-existing lists having "permission denied".  I fixed that,
        and then had to also do "chmod a+rx,g+ws
        /var/lib/mailman/cgi-bin/*" and then it was working.


        If set up a backup server to this one I might be able to
        experiment more.  However I will probably also set up that web
        server to run as the normal www-data in order to be simpler.

        A few more notes below . . .

>>>>> "Lionel" == Lionel Elie Mamane <lionel at mamane.lu> writes:
Lionel> 
Lionel> On Wed, Jun 07, 2006 at 02:39:30AM -0500, Rob Ristroph wrote:
>> I installed mailman with apt-get.
Lionel> 
>> It worked at least well enough to create some lists at some point.
>> Since then the system has been apt-get upgraded several times.
Lionel> 
Lionel> Did you install 2.1.8 or an older version originally?

It was 2.1.8.

>> Now, when I go to any of the mailman links, such as listinfo or the
>> admin page of a list, I get this in my browser:
Lionel> 
>> ====================================
>> Internal Server Error
Lionel> 
>> The server encountered an internal error or misconfiguration and was
>> unable to complete your request.
Lionel> 
Lionel> Isn't your _web server_ CGI configuration fucked up? Do other CGIs
Lionel> work?

Other CGI's worked at that time.  This was the only one that didn't.

Lionel> This looks more like an Apache error message than a Mailman one to
Lionel> me.

Yes, that is possible.  In the configuration I am currently using does
not use SuExec.  It is possible that I was trying to SuExec to a
user/group with uid/gid below 100, and that was generating the error.

>> Among other background information you should know:
Lionel> 
>> -- I had to "ln -s /usr/lib/cgi-bin/mailman /usr/lib/mailman/cgi-bin/"
>> before the gforge apache configs would find mailman properly
Lionel> 
Lionel> That is gforge's bug. Please file a separate bug against
Lionel> gforge-lists-mailman and tell them (add
Lionel> pkg-mailman-hackers at lists.alioth.debian.org to the CC list for that
Lionel> bug; reportbug will give you the opportunity to do that).

OK, I will.

>> -- The output of check_perms:
>> =================================
>> check_perms -f
Lionel> 
>> /var/lib/mailman/mail bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/cgi-bin bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/logs bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/Mailman bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/bin bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/icons bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/templates bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/locks bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/scripts bad group (has: root, expected list) (fixing)
>> /var/lib/mailman/cron bad group (has: root, expected list) (fixing)
Lionel> 
Lionel> These are false positives; on a Debian system, those are symlinks, and
Lionel> check_perms looks at the symlink and not at its target; the targets
Lionel> have the right group, as far as I can see.

I eventually fixed them by hand when I re-installed from source.  I
don't think those errors were related to the problem.

>> Warning: Private archive directory is other-executable (o+x).
>> This could allow other users on your system to read private
>> archives.
Lionel> 
Lionel> Yes, but that's the only sane way to ensure that the web server can
Lionel> serve these files, too.

Yes.  That was not related to my problem; I wasn't trying to get to
the archives, I was trying to get to the listinfo.

>> Also, instead of apache running as www-data on this system, it is
>> running as another user;
Lionel> 
Lionel> What is the uid of this user, and its gid?

1011 (same for both uid and gid)

>> however, it runs mailman as the user it expects via the suexec
>> directive,
Lionel> 
Lionel> The mailman in Debian, in contrast to the upstream mailman, doesn't
Lionel> care as what group (and user?) it runs as long as the group is 65534
Lionel> or strictly less than 100.

That might explain something, I was still puzzeled not to get
something in the mailman error log though.

>> I have this in the apache conf file:
Lionel> 
>> SuexecUserGroup www-data www-data
Lionel> 
Lionel> Are you sure this does what you think it does? It seems to me that
Lionel> suexec will refuse to execute the cgi's as a user/group below 100, and
Lionel> www-data is 33. Additionally, suexec will only work if launched by
Lionel> www-data, that is only of Apache is running as www-data, it seems to
Lionel> me. Check /var/log/apache/suexec.log and check that it is having the
Lionel> effect you think it has.

I think you are right.  I now have the system working without the use
of SuExec.  I looked in the suexec.log and saw several of these
messages:

user mismatch (service instead of www-data)

By the frequency I think they were showing up each time I restarted
the web server, when I had that suexec stuff in there.

>> I see no messages in the logs when the error happens, except for this
>> in the gforge apache logs:
Lionel> 
>> [Wed Jun 07 02:24:31 2006] [error] [client 70.112.100.20] Premature end
>> of script headers:
>> admin, referer:
>> http://gforge.mydomain.com/mail/admin/index.php?group_id=7
Lionel> 
Lionel> Hmm... Weird.

What puzzled me was the I got this log message but nothing in the
mailman error log.

Again, thanks for helping me with this bug -- and since I am not in a
position to replicate it, it would be hard to work further on it now.
I will re-submit it if I can get it to happen again when I set up the
next server.

--Rob

-- 
http://rgr.freeshell.org/

More information about the Pkg-mailman-hackers mailing list