From owner-freebsd-ports@FreeBSD.ORG  Tue Dec 29 18:49:47 2009
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CF1EE106568B
	for <freebsd-ports@freebsd.org>; Tue, 29 Dec 2009 18:49:47 +0000 (UTC)
	(envelope-from glarkin@FreeBSD.org)
Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net
	[72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id A876C8FC17
	for <freebsd-ports@freebsd.org>; Tue, 29 Dec 2009 18:49:47 +0000 (UTC)
Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235]
	helo=cube.entropy.prv)
	by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD))
	(envelope-from <glarkin@FreeBSD.org>)
	id 1NPh8W-0008S8-K8; Tue, 29 Dec 2009 13:49:46 -0500
Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12])
	by cube.entropy.prv (Postfix) with ESMTP
	id B37043960CAF; Tue, 29 Dec 2009 13:49:40 -0500 (EST)
Message-ID: <4B3A4F43.5040003@FreeBSD.org>
Date: Tue, 29 Dec 2009 13:49:39 -0500
From: Greg Larkin <glarkin@FreeBSD.org>
Organization: The FreeBSD Project
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: David Southwell <david@vizion2000.net>
References: <200912291421.16006.david@vizion2000.net>
	<200912291754.27503.david@vizion2000.net>
	<4B3A48E2.2060108@FreeBSD.org>
	<200912291837.44103.david@vizion2000.net>
In-Reply-To: <200912291837.44103.david@vizion2000.net>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1C940290
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.4 (/)
Cc: Boris Kochergin <spawk@acm.poly.edu>, freebsd-ports@freebsd.org
Subject: Re: mailman web access to archives failure:
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: glarkin@FreeBSD.org
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2009 18:49:47 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Southwell wrote:
>> David Southwell wrote:
>>>> David Southwell wrote:
>>>> [...]
>>>>
>>>>> Thank you Boris
>>>>>
>>>>> After reading your files I changed the httpd.conf to follow your format
>>>>> but it still did not work :-(.
>>>>>
>>>>> Here are my entries:
>>>>>
>>>>>
>>>>> # This should be changed to whatever you set DocumentRoot to.
>>>>> #
>>>>> <Directory "/usr_www/virtualwebs/vizion2000.net">
>>>>>     #
>>>>>     # Possible values for the Options directive are "None", "All",
>>>>>     # or any combination of:
>>>>>     #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI
>>>>> MultiViews
>>>>>     #
>>>>>     # Note that "MultiViews" must be named *explicitly* --- "Options
>>>>> All" # doesn't give it to you.
>>>>>     #
>>>>>     # The Options directive is both complicated and important.  Please
>>>>> see # http://httpd.apache.org/docs/2.2/mod/core.html#options
>>>>>     # for more information.
>>>>>     #
>>>>>     Options Indexes FollowSymLinks
>>>>>
>>>>>     #
>>>>>     # AllowOverride controls what directives may be placed in .htaccess
>>>>> files. # It can be "All", "None", or any combination of the keywords: #
>>>>> Options FileInfo AuthConfig Limit
>>>>>     #
>>>>>     AllowOverride None
>>>>>
>>>>>     #
>>>>>     # Controls who can get stuff from this server.
>>>>>     #
>>>>>     Order allow,deny
>>>>>     Allow from all
>>>>>
>>>>> </Directory>
>>>>> ScriptAlias /mailman     " /usr/local/mailman/cgi-bin"
>>>>> <Directory "/usr/local/mailman/cgi-bin/">
>>>>>         Options ExecCGI
>>>>>         Order allow,deny
>>>>>         Allow from all
>>>>>      </Directory>
>>>>> Alias /pipermail "/usr/local/mailman/archives/public"
>>>>> <Directory "/usr/local/mailman/archives/public/">
>>>>>  Options  ExecCGI FollowSymLinks
>>>>>        Order allow,deny
>>>>>           Allow from all
>>>>> Options Indexes MultiViews
>>>>>   AddDefaultCharset Off
>>>>> DirectoryIndex index.html
>>>>>     </Directory>
>>>>> #
>>>>>
>>>>> Seems I am struggling with this.
>>>>>
>>>>> Thanks again for all your help. Lets hope I can someone can spot
>>>>> something soon. These things are usually caused by a daft error on my
>>>>> part!!
>>>>>
>>>>> David
>>>>> _______________________________________________
>>>> Hi David,
>>>>
>>>> Can you post a listing of the contents of the directory
>>>> /usr/local/mailman/archives/public/?
>>>>
>>>> Also, please visit
>>>> http://www.vizion2000.net/pipermail/bps_comp_print_reminders/ and post
>>>> the request errors from httpd-error.log.
>>>>
>>>> Thank you,
>>>> Greg
>>> Hi Greg
>>>
>>> Thanks for staying with this - here is the info you asked for:
>>>
>>> dns1# cd /usr/local/mailman/archives/public/
>>> dns1# ls -l
>>> total 0
>>> lrwxr-xr-x  1 www  www  55 Dec 19 17:58 bps_comp_print_chat ->
>>> /usr/local/mailman/archives/private/bps_comp_print_chat
>>> lrwxr-xr-x  1 www  www  60 Dec 19 17:57 bps_comp_print_reminders ->
>>> /usr/local/mailman/archives/private/bps_comp_print_reminders
>>> lrwxr-xr-x  1 www  www  60 Dec 19 17:56 bps_comps_print_announce ->
>>> /usr/local/mailman/archives/private/bps_comps_print_announce
>>> dns1#
>>>
>>> error-log shows:
>>> [Tue Dec 29 17:46:00 2009] [error] [client 62.49.197.50] Symbolic link
>>> not allowed or link target not accessible:
>>> /usr/local/mailman/archives/public/bps_comp_print_reminders
>>>
>>> Sudden thought I had not mentioned:
>>>
>>> This server is running SSL
>>> (Apache/2.2.14 mod_ssl/2.2.14)
>>>
>>> Is there any chance that could possibly affect access to the archives??
>>> Everything else works. Incidentally /usr/local/mailman/ and its
>>> subdirectories are on a separate physical drive to the document root 
>>> which is
>>> /usr_www/virtualwebs/vizion2000.net/
>>> Thanks again
>>>
>>> David
>> Hi David,
>>
>> I don't think it's an issue with the version of Apache, but rather a
>> permissions issue on your "private" directory.
>>
>> The quickest way to determine where the problem lies is by running
>> Apache inside of truss (http://bit.ly/DFWAr).  With the proper command
>> line arguments, truss should reveal the cause of the "link target not
>> accessible" error.
>>
>> However, you can also try to figure it out by determining the uid/gid of
>> your Apache processes and inspecting the permissions in the mailman
>> directory hierarchy.
>>
>> Type this:
>>
>>     egrep '^(Group|User)' /usr/local/etc/apache22/httpd.conf
>>
>> Note the results.  On my system, it prints:
>>
>>     User www
>>     Group www
>>
>> Next, run each of the following commands in order, noting if any of the
>> permissions prevent the Apache uid/gid from accessing the directory.
>>
>>     ls -ld /
>>     ls -ld /usr
>>     ls -ld /usr/local
>>     ls -ld /usr/local/mailman
>>     ls -ld /usr/local/mailman/archives
>>     ls -ld /usr/local/mailman/archives/private
>>     ls -ld /usr/local/mailman/archives/private/bps_comp_print_reminders
>>
>> My guess is that you'll find some permissions that need to be loosened
>> slightly.  I'm not familiar with mailman, so I'm assuming that the web
>> interface scripts run with the uid/gid of the Apache process. If they
>> don't for some reason, you'll need to know their uid/gid to do this
>> analysis.
>>
> 
> Here-tis 
> dns1# egrep '^(Group|User)' /usr/local/etc/apache22/httpd.conf
> User www
> Group www
> dns1#  ls -ld /
> drwxr-xr-x  36 root  wheel  1024 Dec 19 11:36 /
> dns1#  ls -ld /
> drwxr-xr-x  36 root  wheel  1024 Dec 19 11:36 /
> dns1# ls -ld /usr
> drwxr-xr-x  23 root  wheel  512 Dec 12 14:21 /usr
> dns1# ls -ld /usr/local
> drwxr-xr-x  27 root  wheel  512 Dec 15 15:54 /usr/local
> dns1# ls -ld /usr/local/mailman
> drwxrwsr-x  20 mailman  mailman  512 Dec 28 13:07 /usr/local/mailman
> dns1# ls -ld /usr/local/mailman/archives
> drwxrwsr-x  4 root  mailman  512 Dec 28 13:07 /usr/local/mailman/archives
> dns1# ls -ld /usr/local/mailman/archives/private
> drwxrws---  10 mailman  mailman  512 Dec 28 15:45 
> /usr/local/mailman/archives/private
> dns1# ls -ld /usr/local/mailman/archives/private/bps_comp_print_reminders
> drwxrwsr-x  2 mailman  mailman  512 Dec 19 17:57 
> /usr/local/mailman/archives/private/bps_comp_print_reminders
> dns1#
> david

Hi David,

This directory has a problem if mailman runs its scripts with uid/gid of
www/www:

drwxrws---  10 mailman  mailman  512 Dec 28 15:45
/usr/local/mailman/archives/private

"Other" users (including www) are prevented from entering that directory.

Have you tried running the check_perms scripts from the mailman package?
 That may help you determine where the problem is.  More information can
be found here, along with some specific info about the permissions for
the private directory: http://bit.ly/7Ht0rS

Hope that helps,
Greg
- --
Greg Larkin

http://www.FreeBSD.org/           - The Power To Serve
http://www.sourcehosting.net/     - Ready. Set. Code.
http://twitter.com/sourcehosting/ - Follow me, follow you
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLOk9D0sRouByUApARAtF+AJ9iCTw06vui8J8kxJBfm4gpMDM9QwCgrZqT
vEb6JsbhlswvsZcOPV54+b8=
=yXKi
-----END PGP SIGNATURE-----