FAQ
I am running other applications that needs to invoke mailman to create a
new list and add a member to the list
by calling "newlist" and "add_memebers" as user "tomcat".

I have mailman setup with ownership "root" and group "mailman". So how
do I make mailman scripts "newlist" and "add_members" so
it can be run as user tomcat? Although the permissions on these scripts
are 755 it doesn't allow other user beside root to create a new list
or add a member to the list.

So, when I run my application as user tomcat calling these scripts, I
get error:
Enter the email of the person running the list: jnguyen at test.edu
Initial jtest11 password:
Traceback (most recent call last):
File "./newlist_new", line 254, in ?
main()
File "./newlist_new", line 196, in main
mlist.Create(listname, owner_mail, pw)
File "/usr/local/mailman/Mailman/MailList.py", line 488, in Create
self._full_path = Site.get_listpath(name, create=1)
File "/usr/local/mailman/Mailman/Site.py", line 65, in get_listpath
_makedir(path)
File "/usr/local/mailman/Mailman/Site.py", line 40, in _makedir
os.makedirs(path, 02775)
File "/usr/lib/python2.3/os.py", line 154, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/usr/local/mailman/lists/jtest11'

Search Discussions

  • Dragon at May 30, 2006 at 5:58 pm
    Jana Nguyen sent the message below at 10:39 5/30/2006:
    I am running other applications that needs to invoke mailman to create a
    new list and add a member to the list
    by calling "newlist" and "add_memebers" as user "tomcat".

    I have mailman setup with ownership "root" and group "mailman". So how
    do I make mailman scripts "newlist" and "add_members" so
    it can be run as user tomcat? Although the permissions on these scripts
    are 755 it doesn't allow other user beside root to create a new list
    or add a member to the list.
    ---------------- End original message. ---------------------

    First thing I will point out is that running anything as root is a
    bad idea unless you absolutely need root access. I would suggest
    creating a user named mailman with no shell access and using that as
    the owner instead. This is a pretty important thing for security,
    root access can have very serious implications and may allow an
    attacker to gain control of your server.


    The real problem you are having here is tied to the permissions on
    the list directory you are trying to access. This being the critical
    information in the trace back:

    OSError: [Errno 13] Permission denied: '/usr/local/mailman/lists/jtest11'


    In order to get things to work the way you want, the user tomcat must
    be made a member of the mailman group. All of the scripts should be
    configured as set_gid, and the list configuration files and
    associated directories should be group writable. If they aren't, you
    should run bin/fix_perms -f to configure the permissions correctly.

    But before you do that, I would very seriously recommend that you
    rebuild and reinstall your mailman installation so it is not owned by
    root before somebody trashes your machine.


    Dragon

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • Jana Nguyen at May 30, 2006 at 8:16 pm

    Dragon wrote:

    Jana Nguyen sent the message below at 10:39 5/30/2006:
    I am running other applications that needs to invoke mailman to create a
    new list and add a member to the list
    by calling "newlist" and "add_memebers" as user "tomcat".

    I have mailman setup with ownership "root" and group "mailman". So how
    do I make mailman scripts "newlist" and "add_members" so
    it can be run as user tomcat? Although the permissions on these scripts
    are 755 it doesn't allow other user beside root to create a new list
    or add a member to the list.
    ---------------- End original message. ---------------------

    First thing I will point out is that running anything as root is a bad
    idea unless you absolutely need root access. I would suggest creating
    a user named mailman with no shell access and using that as the owner
    instead. This is a pretty important thing for security, root access
    can have very serious implications and may allow an attacker to gain
    control of your server.


    The real problem you are having here is tied to the permissions on the
    list directory you are trying to access. This being the critical
    information in the trace back:

    OSError: [Errno 13] Permission denied: '/usr/local/mailman/lists/jtest11'


    In order to get things to work the way you want, the user tomcat must
    be made a member of the mailman group.
    I added user tomcat to mailman group in /etc/group
    All of the scripts should be configured as set_gid,
    How can I configure the scripts as set_gid? This does not seem to be on
    the list of configuration options which mailman doc described.
    and the list configuration files and associated directories should be
    group writable. If they aren't, you should run bin/fix_perms -f to
    configure the permissions correctly.
    I don't have bin/fix_perms script. I'm running mailman 2.1. So I
    manually chmod 775 to lists dir.

    Thanks!
    But before you do that, I would very seriously recommend that you
    rebuild and reinstall your mailman installation so it is not owned by
    root before somebody trashes your machine.


    Dragon

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • Dragon at May 30, 2006 at 8:41 pm
    Jana Nguyen sent the message below at 13:16 5/30/2006:
    I added user tomcat to mailman group in /etc/group
    OK. That's a good thing and once the permissions are set right,
    things will work. See below...
    How can I configure the scripts as set_gid? This does not seem to be on
    the list of configuration options which mailman doc described.
    This is taken care of via a mailman script... see below.
    I don't have bin/fix_perms script. I'm running mailman 2.1. So I
    manually chmod 775 to lists dir.
    My apologies, I got the name wrong. It is the bin/check_perms script.
    This script will be located in the bin directory under the
    installation directory where mailman resides. As an example, on my
    system mailman lives in the /usr/local/mailman directory.

    Use the -f option of check_perms to fix things that are not correct.
    This should have been done as part of the installation of the mailman
    distribution, it is one of the steps detailed in the installation
    process after doing "make install".

    You do really want to use the check_perms script just in case
    something is amiss elsewhere. It is designed to make sure that all
    files and directories in your mailman installation have the correct
    permissions and owner/group assigned.


    Dragon

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • Mark Sapiro at May 30, 2006 at 10:50 pm

    Dragon wrote:
    Jana Nguyen sent the message below at 13:16 5/30/2006:
    I added user tomcat to mailman group in /etc/group
    OK. That's a good thing and once the permissions are set right,
    things will work. See below...
    How can I configure the scripts as set_gid? This does not seem to be on
    the list of configuration options which mailman doc described.
    This is taken care of via a mailman script... see below.

    The bin/* scripts are NOT setgid and 'bin/check_perms -f' will not make
    them setgid. This is generally a good thing because in general you
    don't want anyone who happens to have access to the box to be able to
    run the bin/* scripts. They should only be runnable by a user in the
    mailman group or root.

    In Jana's case, adding 'tomcat' to the mailman group should allow
    'tomcat' to successfully run the scripts.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Dragon at May 30, 2006 at 10:57 pm
    Mark Sapiro sent the message below at 15:50 5/30/2006:
    The bin/* scripts are NOT setgid and 'bin/check_perms -f' will not make
    them setgid. This is generally a good thing because in general you
    don't want anyone who happens to have access to the box to be able to
    run the bin/* scripts. They should only be runnable by a user in the
    mailman group or root.

    In Jana's case, adding 'tomcat' to the mailman group should allow
    'tomcat' to successfully run the scripts.
    ---------------- End original message. ---------------------

    My mistake, I was thinking it worked differently than it does.
    However, she e-mailed me a while ago to let me know that adding the
    user to the mailman group and running the check_perms script fixed her problem.

    So even though I was a bit mixed up there about the details, she did
    get to where she needed to be.



    Dragon

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMay 30, '06 at 5:39p
activeMay 30, '06 at 10:57p
posts6
users3
websitelist.org

People

Translate

site design / logo © 2022 Grokbase