FAQ
Thank you in advance for replies. The list is now working fine however access
to the archive is blocked
:
From:
http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce

On line:
To see collection of prior postings to the list, visit the
clicking link for> bps_comps_print_announce Archives

goes to:
http://www.vizion2000.net/pipermail/bps_comps_print_announce/

with result:
Forbidden
You don't have permission to access/pipermail/bps_comps_print_announce/ on
this server

Attempt to view archives from Topic Section of the mailing list administration
page using link for> Go to list archives
also fails

Extract from httpd-error.log
[Tue Dec 29 12:50:12 2009] [error] [client 62.49.197.51] attempt to invoke
directory as script: /usr/local/mailman/cgi-bin/
[Tue Dec 29 12:50:47 2009] [error] [client 62.49.197.51] Symbolic link not
allowed or link target not accessible:
/usr/local/mailman/archives/public/bps_comps_print_announce, referer:
http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce

Extract from httpd.conf
ScriptAlias /mailman "/usr/local/mailman/cgi-bin"
<Directory "/usr/local/mailman">
Options FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /pipermail "/usr/local/mailman/archives/public"
<Directory "/usr/local/mailman/archives/public">
Options FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
Options Indexes MultiViews
AddDefaultCharset Off
</Directory>

dns1# pwd
/usr/local/mailman
dns1# ls -l
total 36
drwxrwsr-x 11 mailman mailman 2048 Dec 29 09:03 Mailman
drwxrwsr-x 4 www www 512 Dec 28 13:07 archives
drwxrwsr-x 2 root mailman 1024 Dec 28 13:07 bin
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cgi-bin
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cron
drwxrwsr-x 2 mailman mailman 512 Dec 28 15:54 data
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 icons
drwxrwsr-x 6 mailman mailman 512 Dec 28 15:45 lists
drwxrwsr-x 2 root mailman 512 Dec 29 14:00 locks
drwxrwsr-x 2 mailman mailman 512 Dec 29 09:04 logs
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 mail
drwxrwsr-x 37 root mailman 512 Dec 28 13:07 messages
drwxrwsr-x 5 root mailman 512 Dec 28 13:07 pythonlib
drwxrwsr-x 11 mailman mailman 512 Dec 28 15:54 qfiles
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 scripts
drwxrwsr-x 2 root mailman 512 Dec 28 13:07 spam
drwxrwsr-x 38 root mailman 512 Dec 28 13:07 templates
drwxrwsr-x 4 root mailman 512 Dec 28 13:07 tests
dns1# cd archives
dns1# ls -l
total 4
drwxrws--- 10 www www 512 Dec 28 15:45 private
drwxrwsr-x 2 www www 512 Dec 28 15:46 public
dns1# cd private
dns1# ls -l
total 16
drwxrwsr-x 2 www www 512 Dec 19 17:58 bps_comp_print_chat
drwxrwsr-x 2 www www 512 Dec 19 17:58 bps_comp_print_chat.mbox
drwxrwsr-x 2 www www 512 Dec 19 17:57 bps_comp_print_reminders
drwxrwsr-x 2 www www 512 Dec 19 17:57 bps_comp_print_reminders.mbox
drwxrwsr-x 4 www www 512 Dec 29 03:27 bps_comps_print_announce
drwxrwsr-x 2 www www 512 Dec 28 15:54 bps_comps_print_announce.mbox
drwxrwsr-x 2 www www 512 Dec 28 15:45 mailman
drwxrwsr-x 2 www www 512 Dec 28 15:45 mailman.mbox
dns1# cd ../public
dns1# ls -l
total 0
lrwxr-xr-x 1 www www 55 Dec 19 17:58 bps_comp_print_chat ->
/usr/local/mailman/archives/private/bps_comp_print_chat
lrwxr-xr-x 1 www www 60 Dec 19 17:57 bps_comp_print_reminders ->
/usr/local/mailman/archives/private/bps_comp_print_reminders
lrwxr-xr-x 1 www www 60 Dec 19 17:56 bps_comps_print_announce ->
/usr/local/mailman/archives/private/bps_comps_print_announce
dns1# cd /usr/local/mailman/archives/private/bps_comps_print_announce
dns1# ls -l
total 14
drwxrwsr-x 2 www www 512 Dec 28 15:54 2009-December
-rw-rw-r-- 1 www www 2870 Dec 28 15:54 2009-December.txt
-rw-rw-r-- 1 www www 1356 Dec 29 03:27 2009-December.txt.gz
drwxrws--- 2 www www 512 Dec 28 15:54 database
-rw-rw-r-- 1 www www 1110 Dec 28 15:54 index.html
-rw-rw---- 1 www www 870 Dec 28 15:54 pipermail.pck
dns1#

Thanks in advance
_______________________________________________

Search Discussions

  • Mark Sapiro at Dec 29, 2009 at 3:32 pm

    David Southwell wrote:
    Thank you in advance for replies. The list is now working fine however access
    to the archive is blocked [...]
    dns1# pwd
    /usr/local/mailman
    dns1# ls -l
    total 36
    drwxrwsr-x 11 mailman mailman 2048 Dec 29 09:03 Mailman
    drwxrwsr-x 4 www www 512 Dec 28 13:07 archives

    This and everything subordinate to it needs to be group mailman.

    drwxrwsr-x 2 root mailman 1024 Dec 28 13:07 bin
    drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cgi-bin
    drwxrwsr-x 2 root mailman 512 Dec 28 13:07 cron
    drwxrwsr-x 2 mailman mailman 512 Dec 28 15:54 data
    drwxrwsr-x 2 root mailman 512 Dec 28 13:07 icons
    drwxrwsr-x 6 mailman mailman 512 Dec 28 15:45 lists
    drwxrwsr-x 2 root mailman 512 Dec 29 14:00 locks
    drwxrwsr-x 2 mailman mailman 512 Dec 29 09:04 logs
    drwxrwsr-x 2 root mailman 512 Dec 28 13:07 mail
    drwxrwsr-x 37 root mailman 512 Dec 28 13:07 messages
    drwxrwsr-x 5 root mailman 512 Dec 28 13:07 pythonlib
    drwxrwsr-x 11 mailman mailman 512 Dec 28 15:54 qfiles
    drwxrwsr-x 2 root mailman 512 Dec 28 13:07 scripts
    drwxrwsr-x 2 root mailman 512 Dec 28 13:07 spam
    drwxrwsr-x 38 root mailman 512 Dec 28 13:07 templates
    drwxrwsr-x 4 root mailman 512 Dec 28 13:07 tests
    dns1# cd archives
    dns1# ls -l
    total 4
    drwxrws--- 10 www www 512 Dec 28 15:45 private

    The owner of archives/private needs to be the user the web server runs
    as. I would think that would be 'www', but then I don't understand why
    public archive access doesn't work.

    See <http://www.list.org/mailman-install/node9.html> for info on
    archives/private. Normally, it is o+x, but if not, it needs to be
    owned by the web server user but still group mailman.

    check_perms should fix a lot of this, but you may also need to do

    chggrp -R mailman /usr/local/mailman/archives/

    and possibly

    for d in `find /usr/local/mailman/archives/ -type d -print` ; do
    chmod g+s $d
    done

    With the ownership and permissions you have here, Mailman shouldn't be
    able to even store anything in the archives.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Steff Watkins at Dec 29, 2009 at 3:39 pm

    -----Original Message-----
    From: mailman-users-bounces+s.watkins=nhm.ac.uk at python.org
    [mailto:mailman-users-bounces+s.watkins=nhm.ac.uk at python.org]
    On Behalf Of David Southwell
    Sent: 29 December 2009 15:04
    To: mailman-users at python.org
    Subject: [Mailman-Users] Archive access Forbidden
    with result:
    Forbidden
    You don't have permission to
    access/pipermail/bps_comps_print_announce/ on this server

    Attempt to view archives from Topic Section of the mailing
    list administration page using link for> Go to list archives
    also fails

    Extract from httpd-error.log
    [Tue Dec 29 12:50:12 2009] [error] [client 62.49.197.51]
    attempt to invoke directory as script:
    /usr/local/mailman/cgi-bin/ [Tue Dec 29 12:50:47 2009]
    [error] [client 62.49.197.51] Symbolic link not allowed or
    link target not accessible:
    /usr/local/mailman/archives/public/bps_comps_print_announce, referer:
    http://www.vizion2000.net/mailman/listinfo/bps_comps_print_announce

    Extract from httpd.conf
    ScriptAlias /mailman "/usr/local/mailman/cgi-bin"
    <Directory "/usr/local/mailman">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>
    ScriptAlias /pipermail "/usr/local/mailman/archives/public"
    <Directory "/usr/local/mailman/archives/public">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    Options Indexes MultiViews
    AddDefaultCharset Off
    </Directory>
    Hi,

    I'm guessing that the directory indexing mechanism of Apache is getting
    confused.

    The line

    ScriptAlias /pipermail "/usr/local/mailman/archives/public"

    tells apache that anything with a URI starting with /pipermail is a
    script, so Apache will take any call to that URI as a call for an
    exectuable.

    Looking at my local setup I see that the only indexing material in the
    'archive/public' subdirectories are the file index.html.

    So you have to configure Apache to look for index.html as the indexing
    mechanism within a "script only" directory. Something like:

    <Directory "/usr/local/mailman/archives/public">
    ....
    ....
    DirectoryIndex index.html
    </Directory>

    should do the trick. Don't forget to restart Apache after adding that
    line.

    HTH,
    S Watkins
  • Mark Sapiro at Dec 29, 2009 at 3:50 pm

    Steff Watkins wrote:
    I'm guessing that the directory indexing mechanism of Apache is getting
    confused.

    The line

    ScriptAlias /pipermail "/usr/local/mailman/archives/public"

    tells apache that anything with a URI starting with /pipermail is a
    script, so Apache will take any call to that URI as a call for an
    exectuable.

    Good catch! I missed that. It should be

    Alias /pipermail "/usr/local/mailman/archives/public"

    not ScriptAlias.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • David Southwell at Dec 29, 2009 at 4:23 pm

    Steff Watkins wrote:
    I'm guessing that the directory indexing mechanism of Apache is getting
    confused.

    The line

    ScriptAlias /pipermail "/usr/local/mailman/archives/public"

    tells apache that anything with a URI starting with /pipermail is a
    script, so Apache will take any call to that URI as a call for an
    exectuable.
    Good catch! I missed that. It should be

    Alias /pipermail "/usr/local/mailman/archives/public"

    not ScriptAlias.
    OK guys -- thank you everyone BUT BUT

    still no success I changed the entries in httpd.conf and restarted the server
    but still get the same result.

    As a matter of curiosity I tried http://www.vizion2000.net/pipermail which
    simply gave me a page
    Index of /pipermail
    . Parent Directory

    Following the link > Parent Directory took me to

    http://www.vizion2000.net/

    So we know the Alias pipermail line in httpd.conf is being read but we still
    get no further. It seems there must be something wrong with the httpd.conf so
    I am reposting it as it now stands:

    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    # Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

    </Directory>
    ScriptAlias /mailman " /usr/local/mailman/cgi-bin"
    <Directory "/usr/local/mailman">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>
    Alias /pipermail "/usr/local/mailman/archives/public"
    <Directory "/usr/local/mailman/archives/public/">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    Options Indexes MultiViews
    AddDefaultCharset Off
    DirectoryIndex index.html
    </Directory>
  • Steff Watkins at Dec 29, 2009 at 5:10 pm

    -----Original Message-----
    From: David Southwell [mailto:david at vizion2000.net]
    Sent: 29 December 2009 16:23
    To: mailman-users at python.org
    Cc: Mark Sapiro; Steff Watkins
    Subject: Re: [Mailman-Users] Archive access Forbidden
    OK guys -- thank you everyone BUT BUT
    Alias /pipermail "/usr/local/mailman/archives/public"
    <Directory "/usr/local/mailman/archives/public/">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    Options Indexes MultiViews
    AddDefaultCharset Off
    DirectoryIndex index.html
    </Directory>
    Errm... suggestion... tidy up! :)

    AFAIK Apache doesn't allow you to just sequently "add" Options lines
    together. If I've read it correctly, the "Options Indexes MultiViews"
    would cancel the "Options FollowSymLinks ExecCGI" as it is a later
    instruction.. I could be wrong on that, been a while since I went
    grubbing around in Apache's mechanics.

    My own setup for this looks like:

    Alias /pipermail/ "/usr/local/mailman/archives/public/"

    <Directory "/usr/local/mailman/archives/public">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>

    No Indexes, no Multiviews and definitely No ExecCGI. Something just
    makes me feels queasy about making a web archive of a public mailing
    list in a way that it might be possible to have someone include a script
    in the mail that may have an ever so slight chance of executing. You're
    not running SSIs, are you?

    Really, make life as easy as possible for yourself. K.I.S.S... Kiss It
    Simple, Sunshine! As simple as you can possibly get away with.

    One other problem with this is that we only see the "relevent" part of
    the httpd.conf file. I am not knocking you for that, security minded
    people work on the idea of least-disclosed the better. Problem is that
    there may be a directive in some other part of the httpd.conf file which
    totally banjaxs your mailman setup.

    Are you in a position to run a test instance of the webserver, say on
    something like port 8080 with a totally plain-vanilla stock httpd.conf
    file? You could then inject the mailman configuration into that and see
    what is needed to make it work. If you then inject those changes into
    your standard (port 80) httpd.conf and they still fail, you would at
    least know that there was some directive in the original webserver setup
    that was playing havok with your mailman setup.

    Regards,
    S Watkins
  • Mark Sapiro at Dec 29, 2009 at 6:29 pm

    Steff Watkins wrote:
    From: David Southwell [mailto:david at vizion2000.net]
    OK guys -- thank you everyone BUT BUT
    Alias /pipermail "/usr/local/mailman/archives/public"
    <Directory "/usr/local/mailman/archives/public/">
    Options FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    Options Indexes MultiViews
    AddDefaultCharset Off
    DirectoryIndex index.html
    </Directory>
    Errm... suggestion... tidy up! :)

    AFAIK Apache doesn't allow you to just sequently "add" Options lines
    together. If I've read it correctly, the "Options Indexes MultiViews"
    would cancel the "Options FollowSymLinks ExecCGI" as it is a later
    instruction.. I could be wrong on that, been a while since I went
    grubbing around in Apache's mechanics.

    That is correct. You can add options with a + as in

    Options FollowSymLinks ExecCGI
    Options +Indexes +MultiViews

    but without + to add or - to take away, The options will replace any
    prior options.


    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedDec 29, '09 at 3:03p
activeDec 29, '09 at 6:29p
posts7
users3
websitelist.org

People

Translate

site design / logo © 2021 Grokbase