[Pkg-mailman-hackers] Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail

Sun Mar 30 15:26:06 UTC 2014

tag 603904 + patch
user contact at itopie.ch
usertags 603904 + debian-packaging
thanks

Hi there!

On Sat, 08 Mar 2014 20:56:15 +0100, beuc at debian.org wrote:
> I confirm the problem.  FYI here's the permissions at Gna(.org) that
> have been working for at least 2 years, more likely 10:
>
>   drwxrws--- 4065 www-data list 139264 Mar  8 17:30 /var/lib/mailman/archives/private/

The above reflects both /usr/share/doc/mailman/mailman-install.txt.gz
From wheezy (1:2.1.15-1) and sid (1:2.1.16-2), as well as the online
documentation:

  <http://www.gnu.org/software/mailman/mailman-install/node9.html>

--8<---------------cut here---------------start------------->8---
                           4 Check your installation

   After you've run make install, you should check that your installation
   has all the correct permissions and group ownerships by running the
   check_perms script.
[...]
   Warning: If you're running Mailman on a shared multiuser system, and
   you have mailing lists with private archives, you may want to hide the
   private archive directory from other users on your system. In that
   case, you should drop the other execute permission (o-x) from the
   archives/private directory. However, the web server process must be
   able to follow the symbolic link in public directory, otherwise your
   public Pipermail archives will not work. To set this up, become root
   and run the following commands:

# cd <prefix>/archives
# chown <web-server-user> private
# chmod o-x private

   You need to know what user your web server runs as. It may be www,
   apache, httpd or nobody, depending on your server's configuration.
--8<---------------cut here---------------end--------------->8---

However, the above is still not the case on a default wheezy
(1:2.1.15-1) installation: list:www-data for private and root:list for
public.  And indeed, the current Debian settings cause a permission
error, everything is OK for www-data, but not for list:
=====
root at maison:~# ls -l /var/lib/mailman/archives/*
/var/lib/mailman/archives/private:
total 16
drwxrwsr-x 2 root     www-data 4096 Mar 29 15:28 mailman
drwxrwsr-x 2 root     www-data 4096 Mar 29 15:28 mailman.mbox
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test.mbox

/var/lib/mailman/archives/public:
total 0
lrwxrwxrwx 1 www-data list 38 Mar 29 18:02 test -> /var/lib/mailman/archives/private/test
root at maison:/etc# ls -lR /var/lib/mailman/archives/*
/var/lib/mailman/archives/private:
total 16
drwxrwsr-x 2 root     www-data 4096 Mar 29 15:28 mailman
drwxrwsr-x 2 root     www-data 4096 Mar 29 15:28 mailman.mbox
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test
drwxrwsr-x 2 www-data www-data 4096 Mar 29 18:02 test.mbox

/var/lib/mailman/archives/private/mailman:
total 4
-rw-rw-r-- 1 root www-data 573 Mar 29 15:28 index.html

/var/lib/mailman/archives/private/mailman.mbox:
total 0

/var/lib/mailman/archives/private/test:
total 4
-rw-rw-r-- 1 www-data www-data 564 Mar 29 18:02 index.html

/var/lib/mailman/archives/private/test.mbox:
total 0

/var/lib/mailman/archives/public:
total 0
lrwxrwxrwx 1 www-data list 38 Mar 29 18:02 test -> /var/lib/mailman/archives/private/test
root at maison:~# 
=====

Simply doing as Sylvain and upstream suggest is enough, which actually
reflects the public folder permissions:
=====
root at maison:~# chown www-data:list /var/lib/mailman/archives/private/
root at maison:~# chgrp -R list /var/lib/mailman/archives/private/
=====

Please note that Yubao Liu already pointed this out, both on this bug as
well as on the Debian Mailman list:

  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603904#10>
  <http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/2011-December/003877.html>

The patch is trivial:

--8<---------------cut here---------------start------------->8---
diffstat for mailman-2.1.16 mailman-2.1.16

 changelog |    9 +++++++++
 rules     |    2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff -Nru mailman-2.1.16/debian/changelog mailman-2.1.16/debian/changelog

--- mailman-2.1.16/debian/changelog	2014-02-03 14:01:47.000000000 +0100
+++ mailman-2.1.16/debian/changelog	2014-03-30 16:44:58.000000000 +0200
@@ -1,3 +1,12 @@
+mailman (1:2.1.16-3~fix603904.1) UNRELEASED; urgency=medium
+
+  * debian/rules:
+    + fix ownership on /var/lib/mailman/archives/private as upstream
+      suggests, also reflecting group ownership for public archives
+      (Closes: #603904).
+
+ -- Luca Capello <luca at pca.it>  Sun, 30 Mar 2014 16:44:58 +0200
+
 mailman (1:2.1.16-2) unstable; urgency=medium
 
   * Upload to unstable, as requested by Thijs; we did not encounter
diff -Nru mailman-2.1.16/debian/rules mailman-2.1.16/debian/rules
--- mailman-2.1.16/debian/rules	2014-02-03 13:47:42.000000000 +0100
+++ mailman-2.1.16/debian/rules	2014-03-30 17:18:22.000000000 +0200
@@ -179,7 +179,7 @@
 		debian/mailman/usr/lib/$(package)/Mailman/Cgi/*
 
 	chmod o-rx debian/mailman/var/lib/$(package)/archives/private
-	chown list:www-data debian/mailman/var/lib/$(package)/archives/private
+	chown www-data debian/mailman/var/lib/$(package)/archives/private
 	chmod 0755 debian/mailman/usr/lib/$(package)/cron/*
 	chmod 0644 debian/mailman/usr/lib/$(package)/cron/{crontab.in,paths.py}
 
--8<---------------cut here---------------end--------------->8---

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/attachments/20140330/2e79542f/attachment.sig>
