3

I just upgraded from Ubuntu server to 14.0.4 LTS and I can no longer access Mailman via the Web Interface. I get a 403 forbidden error (Forbidden: You don't have permission to access /cgi-bin/mailman/). I've gone over the apache configuration a few times now and don't see the issue.

I am running Apache 2.4.7 and Mailman 2.1.16. Here is the configuration in my /etc/mailman/apache2.conf. I'm not sure where else to look at this point. Could it be a virtual host issue?

# Logos:
Alias /images/mailman/ /usr/share/images/mailman/

# Use this if you don't want the "cgi-bin" component in your URL:
# In case you want to access mailman through a shorter URL you should enable
# this:
#ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
# In this case you need to set the DEFAULT_URL_PATTERN in
# /etc/mailman/mm_cfg.py to http://%s/mailman/ for the cookie
# authentication code to work.  Note that you need to change the base
# URL for all the already-created lists as well.

<Directory /usr/lib/cgi-bin/mailman/>
    AllowOverride all
    Options +ExecCGI
    AddHandler cgi-script .cgi index.cgi
    Order allow,deny
    Allow from all
</Directory>
<Directory /var/lib/mailman/archives/public/>
    Options +FollowSymlinks
    AllowOverride all
    Order allow,deny
    Allow from all
</Directory>
<Directory /usr/share/images/mailman/>
    AllowOverride all
    Order allow,deny
    Allow from all
</Directory>
user2643864
  • 165
  • 1
  • 1
  • 4
  • Thank you! And now, as you reached the reputation 15, you can even upvote the answers, if you think they are good. This gives 10 repu point to the answering person, too, which is also considered as a big reward. – peterh Jan 22 '15 at 10:51

1 Answers1

3

No, it is surely not a virtualhost problem.

(1)

You get 403 error not only if your apache configs aren't these directories allowed, but if even apache doesn't have the permission to reach this directory.

To know this, you can very easily test that: simply su to the apache user (su www-data -c /bin/bash), and try to step in the named directory, list it, read files from it, etc., just as the apache did serving your request.

(2)

Anyways, normally the error.log of the apache contains mostly relatively clear and understable reasoning, why a such request wasn't servicable.

(3)

Next to that, what could be go: you could stop the apache and then restart in with a strace. So:

strace -s 200 -f -o trace.txt apachectl start

It will be slow, but you will get a very detailed log in trace.txt, where you will be able to find out, what was the problem exactly. Unfortunately, this whole trick is probably very cryptic for you.

(4) The probable solution:

Between apache 2.2 and 2.4 the config file syntax a little bit changed. Your ubuntu upgrade probably upgraded the apache, but didn't changed the config. Read this to get a more detailed answer: https://httpd.apache.org/docs/2.4/upgrading.html#access .

peterh
  • 4,914
  • 13
  • 29
  • 44
  • Strange... When I try to do an 'su www-data -c /bin/bash', I get the error that "This account is currently not available", although it is listed in /etc/passwd. Maybe it is because the shell is set to /usr/sbin/nologin? Anyway, I couldn't run that test. When I look at the error.log, I see the following: AH01630: client denied by server configuration: /usr/lib/cgi-bin/mailman/admindb – user2643864 Jan 22 '15 at 09:22
  • @user2643864 Yes, maybe `su www-data -s /bin/bash` were the solution. – peterh Jan 22 '15 at 09:24
  • So I was able to su to the www-data user and I can cd, list, read files in that directory. Any other thoughts? – user2643864 Jan 22 '15 at 09:27
  • @user2643864 1: Can you also execute them? 2: What is in error log? – peterh Jan 22 '15 at 09:29
  • So I just changed directories into /var/lib/mailman/cgi-bin and then tried to execute admindb using ./admindb. I got the following error on the command-line. I didn't see anything in the apache error.log. Bug in Mailman version 2.1.16

    Bug in Mailman version 2.1.16

    We're sorry, we hit a bug!

    Please inform the webmaster for this site of this problem. Printing of traceback and other system information has been explicitly inhibited, but the webmaster can find this information in the Mailman error logs.

     – user2643864 Jan 22 '15 at 09:36
  • @user2643864 No, it is not a bug in mailman, it simply doesn't work because it is not intended to be called from command line. It was needed for you to test, if the apache user has the permission to call a binary there. Now we know, it has. I ask you last time: is there anything in the apache error log? – peterh Jan 22 '15 at 09:38
  • With the last test that I ran from the command-line there wasn't anything in the apache error.log. However, when I use the web interface I see the following in the apache error.log. **AH01630: client denied by server configuration: /usr/lib/cgi-bin/mailman/admindb** – user2643864 Jan 22 '15 at 09:40
  • 1
    @user2643864 Finally I found the probable cause, it was caused by the apache upgrade, read the end of my answer, here is the link explaining what you had to change. Essentially, you had to change the "Order" and "Allow" and "Deny" tags to a simple "Require all granted" line. – peterh Jan 22 '15 at 09:44
  • Not seeing the link. Could you resend? – user2643864 Jan 22 '15 at 09:51
  • **YOU'RE AWESOME** Thank you so much. That solved it! I just replaced those lines with "Require all granted". I appreciate your help. – user2643864 Jan 22 '15 at 09:58
  • @user2643864 Wonderful! Now, if you are satisfied with an answer, you can officially accept it by clicking the pipe icon on the left. This is a big reward to the answering person. Thank you! – peterh Jan 22 '15 at 09:59
  • @user2643864 (And, after your reputation reached "15", you will be able to even upvote answers. You are now on 13.) – peterh Jan 22 '15 at 10:03