Installation Questions [Installation}
Hello everyone,
I'm running Ubuntu 24.10 and following the Virtualenv instructions <https://docs.mailman3.org/en/latest/install/virtualenv.html#setup-mailman-us...>. When creating the mailman user per the instructions I find that the mailman user doesn't have sufficient permissions to do things later in the installation such as creating files in /etc. What steps should I take to ensure that the mailman user has the correct permissions to install the Mailman app.
Thank you, Arte Chambers
On 11/3/24 11:31, Arte Chambers via Mailman-users wrote:
Hello everyone,
I'm running Ubuntu 24.10 and following the Virtualenv instructions <https://docs.mailman3.org/en/latest/install/virtualenv.html#setup-mailman-us...>. When creating the mailman user per the instructions I find that the mailman user doesn't have sufficient permissions to do things later in the installation such as creating files in /etc. What steps should I take to ensure that the mailman user has the correct permissions to install the Mailman app.
We should probably cover this in the docs, but for /etc/mailman3, you should do
sudo mkdir /etc/mailman3
sudo chown mailman:mailman /etc/mailman3
sudo chmod 755 /etc/mailman3
Then you can create all the subordinate files as the mailman user. For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
Does this mean i need to add the mailman user as a sudoer?
On Sun, Nov 3, 2024, 8:07 PM Mark Sapiro <mark@msapiro.net> wrote:
On 11/3/24 11:31, Arte Chambers via Mailman-users wrote:
Hello everyone,
I'm running Ubuntu 24.10 and following the Virtualenv instructions < https://docs.mailman3.org/en/latest/install/virtualenv.html#setup-mailman-us... . When creating the mailman user per the instructions I find that the mailman user doesn't have sufficient permissions to do things later in the installation such as creating files in /etc. What steps should I take to ensure that the mailman user has the correct permissions to install the Mailman app.
We should probably cover this in the docs, but for /etc/mailman3, you should do
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Then you can create all the subordinate files as the mailman user. For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to paul.m.robey@gmail.com
Arte Chambers via Mailman-users wrote on 2024-11-03 17:58:
For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
Does this mean i need to add the mailman user as a sudoer?
No, user mailman can talk to postfix without being in any other groups than mailman.
It just means that to edit the postfix config files or start / stop mailman via systemctl, one needs root privileges.
Those are generally only needed when initially setting everything up.
Once setup is complete and you run systemctl enable --now mailman3 mailman3-web
, mailman will start after every reboot and there's no need
to touch it any further.
On 11/3/24 17:58, Arte Chambers via Mailman-users wrote:
For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
Does this mean i need to add the mailman user as a sudoer?
No. mailman
doesn't need to be a sudoer. Somebody needs to be root or
a sudoer to create systemd files and edit postfix and web server
configs, but that doesn't need to be mailman
.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi,
On 04.11.24 02:06, Mark Sapiro wrote:
On 11/3/24 11:31, Arte Chambers via Mailman-users wrote: We should probably cover this in the docs, but for /etc/mailman3, you should do
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Then you can create all the subordinate files as the mailman user. For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
is it really necessary that the mailman user can write that directory? For most services, directories and files in /etc/ may be readable for the service but usually not writable as you don't want the service itself change it's core configuration.
On your server it looks like this:
# ls -la /etc/mailman3 total 28 drwxr-xr-x. 2 root mailman 95 Oct 25 08:12 . drwxr-xr-x. 99 root root 8192 Oct 29 07:42 .. -rw-r--r--. 1 root mailman 266 Oct 25 07:37 gunicorn.conf -rw-r-----. 1 root mailman 92 Nov 21 2023 mailman-hyperkitty.cfg -rw-r-----. 1 root mailman 797 Sep 9 11:20 mailman.cfg -rw-r-----. 1 root mailman 3015 Oct 25 08:12 settings.py
and it works just fine.
Regards,
Gerald
On Mon, Nov 4, 2024 at 10:34 AM Gerald Vogt <vogt@spamcop.net> wrote:
Hi,
On 04.11.24 02:06, Mark Sapiro wrote:
On 11/3/24 11:31, Arte Chambers via Mailman-users wrote: We should probably cover this in the docs, but for /etc/mailman3, you should do
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Then you can create all the subordinate files as the mailman user. For other things like the systemd service and the postfix and web server configs, you need to do them as root (via sudo).
is it really necessary that the mailman user can write that directory? For most services, directories and files in /etc/ may be readable for the service but usually not writable as you don't want the service itself change it's core configuration.
On your server it looks like this:
# ls -la /etc/mailman3 total 28 drwxr-xr-x. 2 root mailman 95 Oct 25 08:12 . drwxr-xr-x. 99 root root 8192 Oct 29 07:42 .. -rw-r--r--. 1 root mailman 266 Oct 25 07:37 gunicorn.conf -rw-r-----. 1 root mailman 92 Nov 21 2023 mailman-hyperkitty.cfg -rw-r-----. 1 root mailman 797 Sep 9 11:20 mailman.cfg -rw-r-----. 1 root mailman 3015 Oct 25 08:12 settings.py
and it works just fine.
True, but making the mailman user own the files makes life easier when you operate from the virtualenv - you do not have to exit the virtualenv to edit the files in /etc/mailman3, and then re-enter the virtualenv. You do not have to give the mailman user sudoer rights. That's the whole point about the below:
sudo mkdir /etc/mailman3
sudo chown mailman:mailman /etc/mailman3
sudo chmod 755 /etc/mailman3
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 04.11.24 09:13, Odhiambo Washington via Mailman-users wrote:
On Mon, Nov 4, 2024 at 10:34 AM Gerald Vogt <vogt@spamcop.net> wrote:
On your server it looks like this:
# ls -la /etc/mailman3 total 28 drwxr-xr-x. 2 root mailman 95 Oct 25 08:12 . drwxr-xr-x. 99 root root 8192 Oct 29 07:42 .. -rw-r--r--. 1 root mailman 266 Oct 25 07:37 gunicorn.conf -rw-r-----. 1 root mailman 92 Nov 21 2023 mailman-hyperkitty.cfg -rw-r-----. 1 root mailman 797 Sep 9 11:20 mailman.cfg -rw-r-----. 1 root mailman 3015 Oct 25 08:12 settings.py
and it works just fine.
True, but making the mailman user own the files makes life easier when you operate from the virtualenv - you do not have to exit the virtualenv to edit the files in /etc/mailman3, and then re-enter the virtualenv.
The virtualenv doesn't change the current uid. That doesn't make a difference.
You do not have to give the mailman user sudoer rights. That's the whole point about the below:
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Well, that essentially was my question: why does the mailman user require sudo rights? Why does it need to be able to write or change those files/directories? Except for the convenience which isn't a reason to weaken security.
In respect to security, i.e. separation of the service user from write access to it's core configuration files, it should not be done unless absolutely necessary. I haven't seen a reason, yet, and our server runs just fine. That's why I am asking.
Thanks,
Gerald
On Mon, Nov 4, 2024 at 12:36 PM Gerald Vogt <vogt@spamcop.net> wrote:
On 04.11.24 09:13, Odhiambo Washington via Mailman-users wrote:
On Mon, Nov 4, 2024 at 10:34 AM Gerald Vogt <vogt@spamcop.net> wrote:
On your server it looks like this:
# ls -la /etc/mailman3 total 28 drwxr-xr-x. 2 root mailman 95 Oct 25 08:12 . drwxr-xr-x. 99 root root 8192 Oct 29 07:42 .. -rw-r--r--. 1 root mailman 266 Oct 25 07:37 gunicorn.conf -rw-r-----. 1 root mailman 92 Nov 21 2023 mailman-hyperkitty.cfg -rw-r-----. 1 root mailman 797 Sep 9 11:20 mailman.cfg -rw-r-----. 1 root mailman 3015 Oct 25 08:12 settings.py
and it works just fine.
True, but making the mailman user own the files makes life easier when you operate from the virtualenv - you do not have to exit the virtualenv to edit the files in /etc/mailman3, and then re-enter the virtualenv.
The virtualenv doesn't change the current uid. That doesn't make a difference.
You do not have to give the mailman user sudoer rights. That's the whole point about the below:
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Well, that essentially was my question: why does the mailman user require sudo rights?
Mark did not say that the mailman user required sudo access. Please re-read what he said.
Why does it need to be able to write or change those files/directories? Except for the convenience which isn't a reason to weaken security.
Make me understand how the security is weakened. The Mailman user account has no password so cannot login from outside. Even if it was able to login, it will still end up only accessing $home and /etc/mailman3, no?
In respect to security, i.e. separation of the service user from write access to it's core configuration files, it should not be done unless absolutely necessary.
Sorry, I didn't understand that.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
I'm also running into permission errors with Postgres - user does not have permissions on public schema. I didn't see anything in the docs about how to grant proper access to these tables.
Thank you, Paul 'Arte Chambers' Robey 502-408-6922
On Mon, Nov 4, 2024 at 4:51 AM Odhiambo Washington via Mailman-users < mailman-users@mailman3.org> wrote:
On Mon, Nov 4, 2024 at 12:36 PM Gerald Vogt <vogt@spamcop.net> wrote:
On 04.11.24 09:13, Odhiambo Washington via Mailman-users wrote:
On Mon, Nov 4, 2024 at 10:34 AM Gerald Vogt <vogt@spamcop.net> wrote:
On your server it looks like this:
# ls -la /etc/mailman3 total 28 drwxr-xr-x. 2 root mailman 95 Oct 25 08:12 . drwxr-xr-x. 99 root root 8192 Oct 29 07:42 .. -rw-r--r--. 1 root mailman 266 Oct 25 07:37 gunicorn.conf -rw-r-----. 1 root mailman 92 Nov 21 2023 mailman-hyperkitty.cfg -rw-r-----. 1 root mailman 797 Sep 9 11:20 mailman.cfg -rw-r-----. 1 root mailman 3015 Oct 25 08:12 settings.py
and it works just fine.
True, but making the mailman user own the files makes life easier when you operate from the virtualenv - you do not have to exit the virtualenv to edit the files in /etc/mailman3, and then re-enter the virtualenv.
The virtualenv doesn't change the current uid. That doesn't make a difference.
You do not have to give the mailman user sudoer rights. That's the whole point about the below:
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Well, that essentially was my question: why does the mailman user require sudo rights?
Mark did not say that the mailman user required sudo access. Please re-read what he said.
Why does it need to be able to write or change those files/directories? Except for the convenience which isn't a reason to weaken security.
Make me understand how the security is weakened. The Mailman user account has no password so cannot login from outside. Even if it was able to login, it will still end up only accessing $home and /etc/mailman3, no?
In respect to security, i.e. separation of the service user from write access to it's core configuration files, it should not be done unless absolutely necessary.
Sorry, I didn't understand that.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to paul.m.robey@gmail.com
On 11/13/24 17:05, Arte Chambers via Mailman-users wrote:
I'm also running into permission errors with Postgres - user does not have permissions on public schema. I didn't see anything in the docs about how to grant proper access to these tables.
This is an issue due to changes in PostgreSQL 15.0. An update to the docs is in progress. See https://gitlab.com/mailman/mailman-suite-doc/-/merge_requests/160
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Thu, Nov 14, 2024 at 4:05 AM Arte Chambers <paul.m.robey@gmail.com> wrote:
I'm also running into permission errors with Postgres - user does not have permissions on public schema. I didn't see anything in the docs about how to grant proper access to these tables.
Off the top of my head, this is what I used to do, but the same issue has been discussed several times on the list. # su -u postgres psql #\c mailman postgres # GRANT ALL ON SCHEMA public to mailman; #\c mailmanweb postgres # GRANT ALL ON SCHEMA public to mailman;
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
participants (5)
-
Arte Chambers
-
Gerald Vogt
-
Mark Sapiro
-
Odhiambo Washington
-
Ron / BCLUG