[ On Thursday, September 4, 2003 at 23:01:39 (+0200), Matthias Buelow wrote: ]
> Subject: Re: mailman and apache, straight from pkgsrc, not happy...
>
> Marshall Rose writes:
> 
> >yeah, after playing with that for a while. i decided to run apache with
> >u/g mailman:mailman...
> 
> I've encountered the same problems a while back when trying to set
> up mailman+apache.  I wonder what the best solution here is.
> Running the entire apache as mailman:mailman probably isn't so
> desirable.  Running mailman (and its databases) as www:www is
> neither.  Perhaps Manuel's choice of running the mailman scripts
> setgid isn't that bad?

Apache has that SUEXEC thing which seems to be more secure in controlled
environments than even setgid scripts might be.  If I'm not mistaken it
even installs out-of-the box from pkgsrc, though if not then putting
APACHE_SUEXEC=YES in /etc/mk.conf should do it.

When you're using SUEXEC then so long as mailman's CGI programs reside
under ~mailman Apache will run them as "mailman" while system CGIs can
still be run as "www".

I haven't done this for mailman, but it works fine for Netsaint and for
Cricket and for a custom user-management database system I help support.

I think the only potential problem is that you then are effectively
forced to run all other CGI scripts that live under anyone's $HOME as
that user, which may or may not be what you want to do on any given
server.
 
-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>