Debian Package Install - Ownership and Permissions
Hello,
I know that installing from Debian packages is not the preferred method - unfortunately that's what I'm stuck with at the moment. I have an installation that is sort of working, but there seems to be a lot of issues relating to ownership and permissions that I'll have to manage by hand, so I am asking for some guidance.
I'm seeing an interplay between 'list' (the existing Mailman2 user), www-data (the Apache user) and root. Given that it seems like almost everything that's part of mailman3-web/django/hyperkitty is running in uwsgi, should I maybe change /etc/mailman3/uwsgi.ini to use 'list' as the uid/gid rather than www-data and then also change any user/group permission to 'list' as well?
Thanks
-Dave
-- Dave Hall Binghamton University
On Fri, Apr 7, 2023 at 7:14 PM Dave Hall via Mailman-users < mailman-users@mailman3.org> wrote:
Hello,
I know that installing from Debian packages is not the preferred method - unfortunately that's what I'm stuck with at the moment. I have an installation that is sort of working, but there seems to be a lot of issues relating to ownership and permissions that I'll have to manage by hand, so I am asking for some guidance.
It's actually not that difficult to migrate from the Debian packages to the virtualenv setup.
I'm seeing an interplay between 'list' (the existing Mailman2 user), www-data (the Apache user) and root. Given that it seems like almost everything that's part of mailman3-web/django/hyperkitty is running in uwsgi, should I maybe change /etc/mailman3/uwsgi.ini to use 'list' as the uid/gid rather than www-data and then also change any user/group permission to 'list' as well?
Mailman3 components (Core, Django) only needs read permissions to /etc/mailman3/*, nothing more. Web-wise, MM2 and MM3 can even co-exist on the same server. Only the core will have issues should you share the listnames.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On Fri, Apr 7, 2023 at 12:29 PM Odhiambo Washington <odhiambo@gmail.com> wrote:
On Fri, Apr 7, 2023 at 7:14 PM Dave Hall via Mailman-users < mailman-users@mailman3.org> wrote:
Hello,
I know that installing from Debian packages is not the preferred method - unfortunately that's what I'm stuck with at the moment. I have an installation that is sort of working, but there seems to be a lot of issues relating to ownership and permissions that I'll have to manage by hand, so I am asking for some guidance.
It's actually not that difficult to migrate from the Debian packages to the virtualenv setup.
It's not an option for me today. Migration might be easy, but it's a different path for bringing code onto my servers - auditing and security. Someday soon I'd like to move this to Kubernetes or something, but not today. Today I need to move servers from Debian 10 to Debian 11, and Mailman 2.1 is disappearing so I need to migrate native Debian Mailman 2 to native Debian Mailman 3 as quickly as possible.
I'm seeing an interplay between 'list' (the existing Mailman2 user), www-data (the Apache user) and root. Given that it seems like almost everything that's part of mailman3-web/django/hyperkitty is running in uwsgi, should I maybe change /etc/mailman3/uwsgi.ini to use 'list' as the uid/gid rather than www-data and then also change any user/group permission to 'list' as well?
Mailman3 components (Core, Django) only needs read permissions to /etc/mailman3/*, nothing more. Web-wise, MM2 and MM3 can even co-exist on the same server. Only the core will have issues should you share the listnames.
In addition to /etc/mailman3/*, there's also /var/lib/mailman3 and
/var/log/mailman3. I'm seeing this mixture of owner/group as well in these folders and their subfolders.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
-- Dave Hall Binghamton University
On Fri, Apr 7, 2023 at 7:43 PM Dave Hall <kdhall@binghamton.edu> wrote:
On Fri, Apr 7, 2023 at 12:29 PM Odhiambo Washington <odhiambo@gmail.com> wrote:
On Fri, Apr 7, 2023 at 7:14 PM Dave Hall via Mailman-users < mailman-users@mailman3.org> wrote:
Hello,
I know that installing from Debian packages is not the preferred method - unfortunately that's what I'm stuck with at the moment. I have an installation that is sort of working, but there seems to be a lot of issues relating to ownership and permissions that I'll have to manage by hand, so I am asking for some guidance.
It's actually not that difficult to migrate from the Debian packages to the virtualenv setup.
It's not an option for me today. Migration might be easy, but it's a different path for bringing code onto my servers - auditing and security. Someday soon I'd like to move this to Kubernetes or something, but not today. Today I need to move servers from Debian 10 to Debian 11, and Mailman 2.1 is disappearing so I need to migrate native Debian Mailman 2 to native Debian Mailman 3 as quickly as possible.
I'm seeing an interplay between 'list' (the existing Mailman2 user), www-data (the Apache user) and root. Given that it seems like almost everything that's part of mailman3-web/django/hyperkitty is running in uwsgi, should I maybe change /etc/mailman3/uwsgi.ini to use 'list' as the uid/gid rather than www-data and then also change any user/group permission to 'list' as well?
Mailman3 components (Core, Django) only needs read permissions to /etc/mailman3/*, nothing more. Web-wise, MM2 and MM3 can even co-exist on the same server. Only the core will have issues should you share the listnames.
In addition to /etc/mailman3/*, there's also /var/lib/mailman3 and
/var/log/mailman3. I'm seeing this mixture of owner/group as well in these folders and their subfolders.
The MM3 user should be able to write logs in /var/log/mailman3. I don't know what is in /var/lib/mailman3 , but you are safe with changing ownership to the MM3 user.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On Fri, 7 Apr 2023, at 12:43, Dave Hall via Mailman-users wrote:
On Fri, Apr 7, 2023 at 12:29 PM Odhiambo Washington <odhiambo@gmail.com> wrote:
On Fri, Apr 7, 2023 at 7:14 PM Dave Hall via Mailman-users < mailman-users@mailman3.org> wrote:
It's actually not that difficult to migrate from the Debian packages to the virtualenv setup. It's not an option for me today.
I feel you.
I am running MM2 und 3 in parallel without problems, I do have a special MTA setup though (Sendmail). Can't speak for Postfix etc..
Ownerships for Mailman 3:
# ls -l /etc/mailman3/ total 36 -rw-r--r-- 1 root root 399 2019-06-07 20:03 apache.conf -rw-r----- 1 root list 756 2022-02-24 23:17 mailman-hyperkitty.cfg -rw-r----- 1 list www-data 7672 2023-04-06 13:52 mailman-web.py -rw-r----- 1 root list 11489 2022-02-24 23:16 mailman.cfg -rw-r--r-- 1 root root 2893 2019-06-07 20:03 nginx.conf -rw-r--r-- 1 root root 1511 2019-06-07 20:03 uwsgi.ini
/var/log/mailman3/ is list:list 755 /var/log/mailman3/web/ is www-data:www-data 755 /var/lib/mailman3/ is list:list 755
Contents in /var/lib/mailman3/ are list:list 755 except for /var/lib/mailman3/web/ which is all www-data:www-data 755
Make sure to always run any mailman as user list.
mailman-web has the su to www-data built-in, it's just:
su -s /bin/sh -c "python3 /usr/share/mailman3-web/manage.py $*" www-dataSo, use mailman-web whereever the docu says manage.py or django_admin --pythonpath /usr/share/mailman3-web
-- -- Andreas
:-)On Fri, Apr 7, 2023 at 8:09 PM Andreas Schamanek < as2020+github@fam.tuwien.ac.at> wrote:
On Fri, 7 Apr 2023, at 12:43, Dave Hall via Mailman-users wrote:
On Fri, Apr 7, 2023 at 12:29 PM Odhiambo Washington <odhiambo@gmail.com> wrote:
On Fri, Apr 7, 2023 at 7:14 PM Dave Hall via Mailman-users < mailman-users@mailman3.org> wrote:
It's actually not that difficult to migrate from the Debian packages to the virtualenv setup. It's not an option for me today.
I feel you.
I am running MM2 und 3 in parallel without problems, I do have a special MTA setup though (Sendmail). Can't speak for Postfix etc..
Your setup can handle list1@domain1.name via MM2 and MM3, simultaneously, right? :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 4/7/23 13:43, Odhiambo Washington wrote:
On Fri, Apr 7, 2023 at 8:09 PM Andreas Schamanek < as2020+github@fam.tuwien.ac.at> wrote:
I am running MM2 und 3 in parallel without problems, I do have a special MTA setup though (Sendmail). Can't speak for Postfix etc..
Your setup can handle list1@domain1.name via MM2 and MM3, simultaneously, right? :-)
It is possible to have an MM2 list1 and an MM3 list1@domain1.name
simultaneously on the same server, but what is the MTA going to do with
incoming mail to list1@domain1.name. I suppose it could deliver it to
both MM2 and MM3, but I don't see any practical use case for this.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, Apr 7, 2023 at 5:47 PM Mark Sapiro <mark@msapiro.net> wrote:
On 4/7/23 13:43, Odhiambo Washington wrote:
On Fri, Apr 7, 2023 at 8:09 PM Andreas Schamanek < as2020+github@fam.tuwien.ac.at> wrote:
I am running MM2 und 3 in parallel without problems, I do have a special MTA setup though (Sendmail). Can't speak for Postfix etc..
Your setup can handle list1@domain1.name via MM2 and MM3, simultaneously, right? :-)
It is possible to have an MM2
list1and an MM3list1@domain1.namesimultaneously on the same server, but what is the MTA going to do with incoming mail tolist1@domain1.name. I suppose it could deliver it to both MM2 and MM3, but I don't see any practical use case for this.I run Exim4 on my servers so I can comment from this perspective. Exim had a concept of 'routers' which are stacked and processed in order of appearance. There is a router for MM2 and one for MM3 that pick off incoming mail based on whether the email address matches a list name. WIth this setup, you could have the same list name in both MM2 and MM3, but it would go to whichever router appears first and the second one would never see it. So I have the MM3 router first, and as I migrate my lists from MM3 the email for those lists no longer gets to MM2.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to kdhall@binghamton.edu
-- Dave Hall Binghamton University kdhall@binghamton.edu 607-760-2328 (Cell) 607-777-4641 (Office)
On 4/7/23 14:58, Dave Hall via Mailman-users wrote:
On Fri, Apr 7, 2023 at 5:47 PM Mark Sapiro <mark@msapiro.net> wrote:
On 4/7/23 13:43, Odhiambo Washington wrote:
On Fri, Apr 7, 2023 at 8:09 PM Andreas Schamanek < as2020+github@fam.tuwien.ac.at> wrote:
I am running MM2 und 3 in parallel without problems, I do have a special MTA setup though (Sendmail). Can't speak for Postfix etc..
Your setup can handle list1@domain1.name via MM2 and MM3, simultaneously, right? :-)
It is possible to have an MM2
list1and an MM3list1@domain1.namesimultaneously on the same server, but what is the MTA going to do with incoming mail tolist1@domain1.name. I suppose it could deliver it to both MM2 and MM3, but I don't see any practical use case for this.I run Exim4 on my servers so I can comment from this perspective. Exim had a concept of 'routers' which are stacked and processed in order of appearance. There is a router for MM2 and one for MM3 that pick off incoming mail based on whether the email address matches a list name. WIth this setup, you could have the same list name in both MM2 and MM3, but it would go to whichever router appears first and the second one would never see it. So I have the MM3 router first, and as I migrate my lists from MM3 the email for those lists no longer gets to MM2.
And mail.python.org which currently has 189 Mailman 3 lists and 223 Mailman 2.1 lists does something very similar in it's Postfix configuration and also prefers Mailman 3.
However, maybe I misunderstood Odiambo's question about simultaneous support for a Mailman 2.1 and Mailman 3 list of the same name. We could certainly have that on mail.python.org, and even have both MM 2.1 and MM 3 web UIs for those lists, but as soon as the MM 3 list is created during migration, mail is only delivered to the MM 3 list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 4/7/23 09:14, Dave Hall via Mailman-users wrote:
I'm seeing an interplay between 'list' (the existing Mailman2 user), www-data (the Apache user) and root. Given that it seems like almost everything that's part of mailman3-web/django/hyperkitty is running in uwsgi, should I maybe change /etc/mailman3/uwsgi.ini to use 'list' as the uid/gid rather than www-data and then also change any user/group permission to 'list' as well?
With the Debian packages, all Mailman processes including Django,
HyperKitty, Postorius, etc. should run as user list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Andreas Schamanek -
Dave Hall -
Mark Sapiro -
Odhiambo Washington