Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 396561

Summary: net-mail/mailman-2.1.20 installs CGIs non-world-readable, breaks under lighttpd
Product: Gentoo Linux Reporter: Christopher Head <bugs>
Component: [OLD] ServerAssignee: Hanno Böck <hanno>
Severity: normal CC: net-mail
Priority: Normal Keywords: InVCS, UPSTREAM
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Christopher Head 2011-12-31 00:34:08 UTC
The files in /usr/lib/mailman/cgi-bin are by default installed as world-executable and SGID, but not world-readable (specifically, mode 2751). This is fine in Apache, but in Lighttpd breaks things because Lighttpd demands to be able to open a file in O_RDONLY mode before it will serve it, even if the file in question is a CGI. I reported this bug at <>, but it has been closed WONTFIX. I can see no possible good reason to make a pile of ELF binaries installed as part of a publicly-available package *not* be world-readable, so could they be mode 2755 instead?

Reproducible: Always

# emerge --info net-mail/mailman
Portage (default/linux/x86/10.0, gcc-4.5.3, glibc-2.13-r4, 3.0.6-gentoo i686)
                        System Settings
System uname: Linux-3.0.6-gentoo-i686-Intel-R-_Pentium-R-_4_CPU_3.00GHz-with-gentoo-2.0.3
Timestamp of tree: Thu, 29 Dec 2011 21:15:01 +0000
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.2-r3, 3.1.4-r3
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.9.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo hawk777
CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer -mfpmath=sse"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer -mfpmath=sse"
EMERGE_DEFAULT_OPTS="--with-bdeps y"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_CA"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="bzip2 caps cdb cli ctype cups curl cxx dri extensions gd glibc-omitfp gmp hash hpn iconv idn modules multiuser mysqli mysqlnd ncurses nls nptl nptlonly openmp pam pcre pdo posix pppd readline session sockets sse2 symlink sysfs threads truetype unicode vhosts vim-syntax x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_digest authn_file authz_host authz_user dav deflate dir env expires filter mime rewrite" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_CA" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

                        Package Settings

net-mail/mailman-2.1.14 was built with the following:
Comment 1 Chris Brannon (RETIRED) gentoo-dev 2014-01-12 01:02:06 UTC
I wasted about 2 hours of my life on this!
The problem is that portage strips the read bit from setuid and setgid
executables.  There are a couple ways to prevent it.
One is setting FEATURES=-sfperms when emerging mailman (not recommended).
There's also a suidctl feature described in the make.conf(5) manpage.
You could enable it and list all the ELF binaries in /etc/portage/suidctl.conf
I suppose...

I note that permissions for the CGI scripts are set to 2755 in src_install.
Any reason not to do this in pkg_postinst instead?
Comment 2 zlg (RETIRED) gentoo-dev 2016-08-10 09:10:07 UTC
This bug hasn't been touched since 2014. net-mail/mailman is now at 2.1.20 and lighttpd is approaching 1.5.0. Can anyone reproduce or otherwise confirm this bug? If there's no reply within a week or so, I'll be marking this obsolete.
Comment 3 Christopher Head 2016-08-11 07:45:26 UTC
Mailman-2.1.20 still installs its CGIs mode 2751. I am no longer using Lighttpd as my Web server on the machine that runs Mailman, but I assume the problem still exists as, when I reported it there, the Lighttpd developers considered it not a bug and refused to consider fixing it.
Comment 4 zlg (RETIRED) gentoo-dev 2016-09-16 07:05:59 UTC
Upstream has acknowledged and fixed the bug in git[1], so merging lighttpd-9999 will get the fix immediately. It will be available in 1.4.42, which (for now) is what I'll be targeting next for stability as 1.4.40 and 1.4.41 have known problems.