mailman on cPanel

[pizzaman]

Have been running LSWS 2.2.x happily in one busy production cPanel box for a week and no single issue comes up.

Today a customer reports that when he accessed mailman interface through "http://domain1.com/mailman/admindb/list1_domain1.com", he got a 403 Forbidden error. I checked and confirmed his error.

In httpd.conf:
Alias /mailman/archives/ /usr/local/cpanel/3rdparty/mailman/archives/public/
ScriptAlias /mailman/ /usr/local/cpanel/3rdparty/mailman/cgi-bin/

LSWS access_log:
1.2.3.4 - - [19/Sep/2006:12:20:23 +0700] "GET /mailman/admindb/list1_domain1.com HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"

LSWS looks for the script in httpd's docroot, and not the full path to ScriptAlias?

# ls -al /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin*
-rwxr-sr-x 1 mailman mailman 69676 Jun 3 14:30 /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin*
-rwxr-sr-x 1 mailman mailman 69708 Jun 3 14:30 /usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb*

Thanks

 

[mistwang]

That's because LSWS does not allow setuid or setgid CGI scripts by default. Mailman's CGI script is setgid. I updated the latest 2.2.2 package, please download and install again.

To make mailman CGI happy, you also need to set "Force GID" under server->"security"->"CGI resource control" to the gid of "nobody" group.

Please let me know the result.

 

[pizzaman]

OK, that fixes mailman issue.

But wouldn't force running CGI as nobody group break other users' CGI scripts in the system?

 

[pizzaman]

Another issue is that, every customer's script in their /cgi-bin/ is now 404. Everyone's script will always be read from server docroot cgi-bin (/usr/local/apache/cgi-bin/).

I think this just comes up with the latest version or so.

 

[mistwang]

Fixed, please download 2.2.2 release again.
Please let me know the result.

 

[pizzaman]

I'm glad this latest 2.2.2 fixes it.

- mailman is working ok (needed to force group to nobody)
- users cgi-bin work again

I hope this is the last surprise I'm going to get from the latest 2.2.2.

Thanks!

 

[mistwang]

That's great!

But wouldn't force running CGI as nobody group break other users' CGI scripts in the system?

I think it is alright, as long as nobody group has no permission to access all users' directories, one user will not able to peek another user's file.

 

[pizzaman]

Alright, I'll see if this is the last bug ( )before we can deploy LSWS in all cPanel boxes. Thanks.