LiteSpeed Support Forums

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   Apache Migration/Compatibility (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=24)
-   -   mailman on cPanel (http://www.litespeedtech.com/support/forum/showthread.php?t=595)

pizzaman 09-18-2006 10:29 PM
mailman on cPanel
 
Have been running LSWS 2.2.x happily in one busy production cPanel box for a week and no single issue comes up. :)

Today a customer reports that when he accessed mailman interface through "http://domain1.com/mailman/admindb/list1_domain1.com", he got a 403 Forbidden error. I checked and confirmed his error.

In httpd.conf:
Alias /mailman/archives/ /usr/local/cpanel/3rdparty/mailman/archives/public/
ScriptAlias /mailman/ /usr/local/cpanel/3rdparty/mailman/cgi-bin/

LSWS access_log:
1.2.3.4 - - [19/Sep/2006:12:20:23 +0700] "GET /mailman/admindb/list1_domain1.com HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"

LSWS looks for the script in httpd's docroot, and not the full path to ScriptAlias?

# ls -al /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin*
-rwxr-sr-x 1 mailman mailman 69676 Jun 3 14:30 /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin*
-rwxr-sr-x 1 mailman mailman 69708 Jun 3 14:30 /usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb*

Thanks

mistwang 09-19-2006 09:50 AM
That's because LSWS does not allow setuid or setgid CGI scripts by default. Mailman's CGI script is setgid. I updated the latest 2.2.2 package, please download and install again.

To make mailman CGI happy, you also need to set "Force GID" under server->"security"->"CGI resource control" to the gid of "nobody" group.

Please let me know the result.

pizzaman 09-20-2006 08:56 PM
OK, that fixes mailman issue.

But wouldn't force running CGI as nobody group break other users' CGI scripts in the system?

pizzaman 09-21-2006 04:22 AM
Another issue is that, every customer's script in their /cgi-bin/ is now 404. Everyone's script will always be read from server docroot cgi-bin (/usr/local/apache/cgi-bin/).

I think this just comes up with the latest version or so.

mistwang 09-21-2006 09:36 AM
Fixed, please download 2.2.2 release again.
Please let me know the result. :)

pizzaman 09-21-2006 10:06 AM
I'm glad this latest 2.2.2 fixes it.

- mailman is working ok (needed to force group to nobody)
- users cgi-bin work again

I hope this is the last surprise I'm going to get from the latest 2.2.2. ;)

Thanks!

mistwang 09-21-2006 01:08 PM
That's great!

Quote:
But wouldn't force running CGI as nobody group break other users' CGI scripts in the system?
I think it is alright, as long as nobody group has no permission to access all users' directories, one user will not able to peek another user's file.

pizzaman 09-21-2006 09:12 PM
Alright, I'll see if this is the last bug ( :) )before we can deploy LSWS in all cPanel boxes. Thanks.


All times are GMT -7. The time now is 09:26 PM.