[Balug-test] Debian bug: mailman: Re: Archives not-->now working (need Require all granted in <Directory /var/lib/mailman/archives/public/>)
Michael Paoli
Michael.Paoli@cal.berkeley.edu
Tue Jul 11 07:23:01 PDT 2017
Most relevant bit found among Debian bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669813#36
The new apache security model requires adding this to the
Directory stanza for mailman:
Require all granted
But that's not particularly detailed, most notably omits
mention of
/etc/mailman/apache.conf
and the
<Directory /var/lib/mailman/archives/public/>
section within.
Recommended to (mostly) fix mailman 1:2.1.18-2+deb8u1 amd64:
$ diff -U 5 etc/mailman/apache.conf.bug_669813 etc/mailman/apache.conf
--- etc/mailman/apache.conf.bug_669813 2016-09-14 23:05:02.000000000 -0700
+++ etc/mailman/apache.conf 2017-07-11 07:01:29.116879436 -0700
@@ -26,10 +26,11 @@
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
+ Require all granted
</Directory>
<Directory /usr/share/images/mailman/>
AllowOverride None
Order allow,deny
Allow from all
$
At least that's the case for Jessie (presently oldstable)
(
Debian GNU/Linux 8.8 (jessie) x86_64
mailman 1:2.1.18-2+deb8u1 amd64
apache2 2.4.10-10+deb8u9 amd64
)
I haven't (at least yet) checked to see if there's patch applied
yet for newer than mailman 1:2.1.18-2+deb8u1 amd64 that may cover
that fix.
In the meantime, for work-around for at least those versions,
in Apache configuration, in addition to (which I added):
Include ../mailman/apache.conf
(or
Include /etc/mailman/apache.conf
or equivalent
)
also add (and if the above is used via Include, use this *after* the above):
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
> From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
> Subject: Archives now working: BALUG-Test list
> Date: Tue, 11 Jul 2017 00:36:28 -0700
> Archives are now working.
> Relevant bit ... I ought (when I get around to it) check if there's
> bug filed (it may already be fixed even - but not yet to stable).
> The missing bit ... I'd (rather than redundantly copied/maintain) used:
> (relative to /etc/apache2):
> Include ../mailman/apache.conf
> in file sites-available/Include/temp.balug.org
> that was almost all well fine and good (I'd reviewed
> ./mailman/apache.conf earlier). But it left out one key needed bit,
> it has:
> <Directory /var/lib/mailman/archives/public/>
> Options FollowSymlinks
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
> but needs:
> <Directory /var/lib/mailman/archives/public/>
> Options FollowSymlinks
> AllowOverride None
> Order allow,deny
> Allow from all
> Require all granted
> </Directory>
> My relatively simple fix,
> add to file
> sites-available/Include/temp.balug.org
> <Directory /var/lib/mailman/archives/public/>
> Options FollowSymlinks
> AllowOverride None
> Order allow,deny
> Allow from all
> Require all granted
> </Directory>
> after:
> Include ../mailman/apache.conf
> ... Apache doesn't seem to care about the same
> <Directory /var/lib/mailman/archives/public/>
> appearing twice, and seems in that case to just use the latter fine,
> So ... /etc/mailman/apache.conf
> should have included but failed to include, in it's section:
> <Directory /var/lib/mailman/archives/public/>
> the line:
> Require all granted
> So ... I think I'd call that a "bug" - even if it's documentation
> errata. Might be a Debian specific patch needed, as other
> distributions and/or Apache may have different defaults on
> that security.
https://temp.balug.org/pipermail/balug-test/2017-July/000004.html
temp.balug.org will in future be moved to lists.balug.org, so that
will become:
https://lists.balug.org/pipermail/balug-test/2017-July/000004.html
More information about the BALUG-Test
mailing list