Manual setup - permissions
Hello,
I'm new to mailman3 and started to setup an instance from scratch per hand, but I'm struggeling running the peaces with the correct user/permissions.
I can't find anything regarding running this and that with that user in the docs, so I have the following:
virtualenv_dir: /opt/venvs/mailman3
Installed packages in venv:
- "Django>=1.11"
- "django-haystack"
- "libsass"
- "mailman==3.3.0"
- "mailmanclient"
- "mailman-hyperkitty==1.1.0"
- "postorius==1.3.0"
- "hyperkitty==1.3.0"
- "whoosh"
- "uwsgi"
I have installed the core stuff in /opt/mailman3/core, all is owned by user+group "mailman3":
root@host:/opt/mailman3# tree . ├── core │ ├── etc │ │ ├── hyperkitty.cfg │ │ ├── mailman.cfg │ │ └── uwsgi.ini │ ├── log │ │ ├── bounce.log │ │ ├── debug.log │ │ ├── mailman.log │ │ ├── plugins.log │ │ └── smtp.log │ └── var │ ├── archives │ │ └── hyperkitty │ │ └── spool │ │ ├── ... │ ├── cache │ ├── data │ │ ├── mailman.db │ │ ├── postfix_domains │ │ ├── postfix_domains.db │ │ ├── postfix_lmtp │ │ └── postfix_lmtp.db │ ├── lists │ │ └── admin.lists.... │ ├── locks │ ├── master.lck │ ├── master.lck|...|...|... │ ├── master.pid │ ├── message" │ │ ├── ... │ ├── queue │ │ ├── archive │ │ ├── bad │ │ ├── bounces │ │ ├── command │ │ ├── digest │ │ ├── in │ │ ├── nntp │ │ ├── out │ │ ├── pipeline │ │ ├── retry │ │ ├── shunt │ │ └── virgin │ └── templates
The django project is installed in /opt/mailman3/web, all is owned by user+group "nginx":
└── web └── project ├── db │ └── mailmansuite.db ├── emails ├── fulltext_index │ └── _MAIN_0.toc ├── logs │ ├── mailmansuite.log │ ├── uwsgi-error.log │ └── uwsgi.log ├── manage.py ├── __pycache__ │ ├── settings.cpython-35.pyc │ └── urls.cpython-35.pyc ├── run │ └── uwsgi.sock ├── settings.py ├── static ├── urls.py └── wsgi.py
The mailman3 core ist running with user+group "mailman3". And the uwsgi service is running as root with drops privileges to user+group "nginx".
Now, running the scheduled tasks (which run from user+group "nginx") for django I ran into permission problems, because the nginx user can't access/write to the needed files in /opt/mailman3/core/...
If anyone of you is able to read ansible tasks, this is how I set this up via ansible: https://github.com/freifunk-mwu/ansible-ffmwu/blob/mail/roles/service-bundle...
I would appreciate any hints how to run the different peaces of mailman3 with the correct user/groups/permissions.
Thanks in advance, Tobias
On 9/22/19 2:11 AM, Tobias Hachmer via Mailman-users wrote:
Now, running the scheduled tasks (which run from user+group "nginx") for django I ran into permission problems, because the nginx user can't access/write to the needed files in /opt/mailman3/core/...
If anyone of you is able to read ansible tasks, this is how I set this up via ansible: https://github.com/freifunk-mwu/ansible-ffmwu/blob/mail/roles/service-bundle...
I would appreciate any hints how to run the different peaces of mailman3 with the correct user/groups/permissions.
Set up everything as user:group mailman3:mailman3. I.e.,
chown -R mailman3:mailman3 /opt/mailman3/web
and set the uwsgi service to drop privileges to user+group "mailman3".
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi Mark,
thanks for your response.
On 9/23/19 1:29 AM, Mark Sapiro wrote:
On 9/22/19 2:11 AM, Tobias Hachmer via Mailman-users wrote:
Now, running the scheduled tasks (which run from user+group "nginx") for django I ran into permission problems, because the nginx user can't access/write to the needed files in /opt/mailman3/core/...
I would appreciate any hints how to run the different peaces of mailman3 with the correct user/groups/permissions.
Set up everything as user:group mailman3:mailman3. I.e.,
chown -R mailman3:mailman3 /opt/mailman3/web
and set the uwsgi service to drop privileges to user+group "mailman3".
So simple, now the scheduled tasks are working, but the whole web service did not work because the web server user nginx can't access and write to the uwsgi socket anymore /opt/mailman3/web/project/run/uwsgi.sock.
# chown -R nginx:mailman3 /opt/mailman3/web
This works for all. But isn't it a security risk that e.g. manage.py and settings.py is read- and writeable by the webserver?
Regards, Tobias
On Mon, Sep 23, 2019, at 3:02 AM, Tobias Hachmer via Mailman-users wrote:
Hi Mark,
thanks for your response.
On 9/23/19 1:29 AM, Mark Sapiro wrote:
On 9/22/19 2:11 AM, Tobias Hachmer via Mailman-users wrote:
Now, running the scheduled tasks (which run from user+group "nginx") for django I ran into permission problems, because the nginx user can't access/write to the needed files in /opt/mailman3/core/...
I would appreciate any hints how to run the different peaces of mailman3 with the correct user/groups/permissions.
Set up everything as user:group mailman3:mailman3. I.e.,
chown -R mailman3:mailman3 /opt/mailman3/web
and set the uwsgi service to drop privileges to user+group "mailman3".
So simple, now the scheduled tasks are working, but the whole web service did not work because the web server user nginx can't access and write to the uwsgi socket anymore /opt/mailman3/web/project/run/uwsgi.sock.
# chown -R nginx:mailman3 /opt/mailman3/web
This works for all. But isn't it a security risk that e.g. manage.py and settings.py is read- and writeable by the webserver?
You just need them to be readable, not writable. You could possibly use xattrs to do just grant read privs.
You could also configure uwsgi to create a socket somewhere nginx can read it, /var/run/uwsgi.sock should be good enough. You can in theory also try https://uwsgi-docs.readthedocs.io/en/latest/Systemd.html for systemd setup in which case you don't have to manually create sockets as systemd can do that for you.
Regards, Tobias
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
*Attachments:*
- signature.asc
-- thanks, Abhilash Raj (maxking)
I submitted an issue to mailman-web summarizing this conversation, and suggesting documentation as a short-term approach.
https://gitlab.com/mailman/mailman-web/issues/3
Abhilash Raj writes:
On Mon, Sep 23, 2019, at 3:02 AM, Tobias Hachmer via Mailman-users wrote:
# chown -R nginx:mailman3 /opt/mailman3/web
This works for all. But isn't it a security risk that e.g. manage.py and settings.py is read- and writeable by the webserver?
You just need them to be readable, not writable. You could possibly use xattrs to do just grant read privs.
etc.
Steve
-- Associate Professor Division of Policy and Planning Science http://turnbull.sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnbull@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
participants (4)
-
Abhilash Raj -
Mark Sapiro -
Stephen J. Turnbull -
Tobias Hachmer