codekasten/ezmlm-web-ng/ezmlm-web-2.1
2005-01-20 02:01:17 +00:00
..
CHANGES directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
ezmlm-web.cgi directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
ezmlmwebrc directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
htaccess.sample directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
index.c directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
README directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
TODO directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
UPGRADING directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00
webusers.sample directory structure for ezmlm-web-ng optimized 2005-01-20 02:01:17 +00:00

$Id: README,v 1.2 2000/09/25 17:57:21 guy Exp $

=================
| ezmlm-web-2.1 |
=================

Contents
========
   I.   Copyright Stuff
  II.   Some Background
 III.   Requirements
  IV.   Files
   V.   Installation
  VI.   Notes
 VII.   Multi-level list access
VIII.   Language Portability
  IX.   Bugs && Bug Reports
   X.   Acknowledgements
  XI.   Availability


I. Copyright Stuff - essentially the FreeBSD licence ...
==================
ezmlm-web - version 2.1 - 25/09/2000

Copyright (C) 1998, Guy Antony Halse, All Rights Reserved.
Please send bug reports and comments to guy-ezmlm@rucus.ru.ac.za

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.

Neither name Guy Antony Halse nor the names of any contributors may be used
to endorse or promote products derived from this software without specific
prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS
IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

II. Some Background
===================
The need for ezmlm-web arose from the fact that we host many student
societies on our system. These societies usually have a virtual host for web
and email, which is administered by a computer rep from the society. These
computer reps often have little or no knowledge of Unix and so we needed a
user friendly system that would let the create and maintain mailing lists
(such as members@foo.soc.ru.ac.za, committee@foo.soc.ru.ac.za, etc).

Since I am never keen to re-invent the wheel, I had a look at Steve Peterson's
script (http://virtation.com/qmail/ml-sub), which allows people to subscribe 
and unsubscribe from mailing lists using a form->email gateway. This is fine 
for putting on a web page saying "here come and join our mailing list", but
doesn't really allow you to administrate a list.

Security of mailing lists was a concern, as we really didn't want
unauthorised people to be able to alter some users list. Ezmlm-web itself
implements no security checks (apart from un-tainting input) and so relies
on the web server to do this (re-inventing the wheel again :). We use an
Apache webserver, so one can control access to a directory using a .htaccess
file or in the access.conf file. ApacheWeek have a good article on doing
this at http://www.apacheweek.com/features/userauth. I also give examples
later in this document.

This version of ezmlm-web (2.0) is based to a large extent on previous
versions that I have developed. It has however been totally re-written to
make use of the Mail::Ezmlm perl module I wrote. At the same time it was
updated and extended to include the new features of ezmlm-idx. It includes 
many new features that have been suggested to me over the last few months,
and hopefully is now useful to a much larger group of people.

III. Requirements
=================
This version of ezmlm-web requires the following;

* qmail v1.03
* ezmlm v0.53 (idx v0.40)
* Perl v5.004 and the following modules;
  + Mail::Ezmlm v0.03 
  + Mail::Address v1.15
  + CGI v2.6 
  + CGI::Carp v1.06
  + DB_File v1.65
  + Getopt::Std v4.1
  + File::Find v?
  + File::Copy v2.02

The version number indicates the version of the module that ezmlm-web was
developed with. Earlier versions may work, but then they haven't been
tested. Have a look on http://www.CPAN.org/, http://www.qmail.org/, and
http://www.ezmlm.org/ for anything you are missing.

IV. Files
=========
In this distribution you should find 8 files;

README            This file. Provides some background information, notes on
                  installation, etc. Not needed to run ezmlm-web.

CHANGES           The change history. Not needed to run ezmlm-web

TODO              This file is a list of things I intend doing in future
                  versions of ezmlm-web. That is if there are any future
                  versions :) Not needed to run ezmlm-web.

ezmlm-web.cgi     The ezmlm-web script proper. This program requires that
                  you have perl5 installed on your machine and that your web
                  server is capable of running CGI scripts.

index.c           A C wrapper to allow ezmlm-web.cgi to run suid. Not
                  strictly necessary if your setup allows perl scripts to
                  run suid, but I prefer using wrappers anyway. It needs to
                  be edited and compiled to suit your system. Not needed to
                  run ezmlm-web.

htaccess.sample   A sample Apache .htaccess file for controlling access to
                  the mailing lists. If you use another web server, you will
                  have to work this bit out for yourself.

webusers.sample   A sample webusers file for multi-level access control.

V. Installation
===============
1.   Copy ezmlm-web.cgi to some publically readable directory. It does not
     have to be in a path accessible to your web server, but any user with a
     mailing list must be able to run it (Check the read and execute rights
     on both the file and directory). We put our copy in
     /usr/local/bin ...

3.   Edit the ezmlmwebrc file and alter the variables at the top to suit
     your particular system. In particular, you will probably have to change
     the $ENV{'PATH'} variable. Be particularly careful about what you set
     as the path. Too much is a security risk and too little will cause the
     script to malfunction. Version 2.0 requires that the following programs
     be accessible in your path; mv, rm

     Also be careful about the $LIST_DIR variable. This script assumes that
     all users store their mailing lists in the same sub directory of the
     home directory (eg ~/lists). You can override this for an individual
     user by recompiling the C wrapper to call ezmlm-web.cgi with a -d
     option.

     Other configurable options are documented in the ezmlmwebrc file
     itself. I have tried to keep the amount of information that you need to
     supply to a minimum and also make reasonable guesses about default
     values.

4.   Edit the index.c file and change the path to the path of your copy
     of ezmlm-web.cgi. Then compile this file. You can do this by issuing
     the command; gcc -o index.cgi index.c

5.   For every user/virtual host that needs to manage mailing lists, you
     need to create a SUID (user not root!!) copy of index.cgi (see
     chmod(1) for details). These need to reside somewhere accessible by 
     the web server. I suggest that you put them in a sub directory (see 
     about security) of each user/virtual host's home directory (eg
     /home/luser/public_html/ezmlm for Apache on Redhat). 

     The copies don't actually have to be called index.cgi, but it is nice
     for web servers that can resolve a cgi script as an index page (see the
     srm.conf file in Apache). It is important to make sure that whichever
     directory you choose to put them can i: Execute CGI Scripts and ii: Be
     access controlled (here I mean both web and user access) by some method
     (eg .htaccess, access.conf for Apache).

6.   Install some method of securing access to the page. The following
     information is applicable to Apache web servers ... Detailed
     information on user authentication can be obtained from the Apache
     documentation (http://www.apache.org) and ApacheWeek
     (http://www.apacheweek.com/features/userauth)

6.1  Ensure that your Apache setup will allow .htaccess file to control
     access in the directory that contains. This is controlled by the
     AllowOverride tag in access.conf. (Also ensure you have the
     necessary Apache modules installed)

6.2  Create a htpasswd file. This is done using the htpasswd command that
     comes with Apache. Its command line syntax is;
     htpasswd [-c] passwordfile username
   
     You need to put the passwordfile somewhere that is not accessible by
     people through the web, and create an entry for each user you want
     to have access ... See the ApacheWeek article for more details.

6.3  Create a .htaccess file in the directory that contains index.cgi.
     Note that using Apache's built in access control, you can only control
     access to directories, not individual files, hence the need for a
     sub-directory in step 5.

     The format of the .htaccess file should be along the lines of this;

       AuthName EZ Mailing List Manager
       AuthType Basic
       AuthUserFile /path/to/passwordfile
       require valid-user      # or require user username

     Again, see the ApacheWeek article for details.

7.   Test the installation through the web. You should be asked for a
     username and password (supplied in 6.2) and then be presented with a
     screen entitled EZ Mailing List Manger. You can then try to create and
     edit mailing lists ... Have Fun :)

VI. Notes
=========
* There is a function to delete mailing lists, but I really don't like the
  idea. The only reason I put it in is that bvi@rucus asked for it.
  If you set $UNSAFE_RD = 0 (the default) in the config section, the
  ezmlm-web won't actually delete the list. In this case it moves the <list> 
  to .<list> and all the associated .qmail files to a sub-directory called 
  deleted.qmail/ (In the users home directory. This is by far a safer way 
  (since you can restore lists) and therefore I recommend it.

* The HTML interface has been tested using Nutscrape, Internet Exploder, and
  Lynx. If anyone uses anything else and has problems, please let me know.

* I suggest that you make use of custom ezmlmwebrc files rather than using
  the -d command line switches - it makes fault diagnosis easier ...

* Please see the section on languages below.

VII. Multi-Level Access
=======================
Ezmlm-web has a multi-level access system. This depends on a file called
webusers being present in $LIST_DIR. If the file is not present, then any
valid user has access to all lists.  If, however, this file exists a number
of constraints come into place.

- The webusers file is scanned for either the list name (case insensitive) or
  an ALL (case sensitive) entry.
- The list entry (or ALL) is scanned for the current user (as set in
  $REMOTE_USER) or an ALL entry.
- If any valid match is made, then the user is allowed to edit the list.
  Otherwise the user is politely told to go away ;-)

If list creation is allowed and the webusers file exists, then the person who
creates the list is the default owner. As of yet there is no way to add users
through the web interface, but I intend to do this eventually.

The format of a webusers file is as follows;

list1: user1, user2, user3
ALL: user1, user2
list2: ALL

ie; listname colon (:) and a comma (,) separated list of users. Spaces are
ignored but each list must appear on a new line.

Once this file exists, the ezmlm-web script will allow the list users to
configure their access lists along with any other options.

Oh, and BTW, list creation through the web can now be disabled. The way to do
this is to compile the wrapper calling ezmlm-web.cgi with a -c switch. See the
example index.c file for more details.

VIII. Language Portablity
=========================
One of the great new features of version 2.0 is that it is essentially
language independant (okay, not quite, but is 99% of the way there). Most of
the fixed strings, help, etc is defined in the RC file and thus can be
altered to suite a particular locale, language or even your own taste.

If anyone gets round to writing full templates for languages I would
appreciate it if you would do two things;

Firstly, make them public and announce them on the ezmlm@lists.cr.yp.to
mailing list so that others may benefit.

Secondly, please mail me a copy (guy-ezmlm@rucus.ru.ac.za) so that I may use
them in any future releases of ezmlm-web.


IX. Bugs && Bug Reports
=======================
I don't know of any bugs, but then this is a rewrite and a first release. It
has been tested reasonably well, but not exhaustively. I know it works on
FreeBSD 4.0-STABLE, FreeBSD 3.4-RELEASE, RedHat 5.1 and Redhat 6.0 all using
an Apache web server, but I would be interested to know whether it works on
other OSs and with other web servers. This version is far less dependent on
the OS than previous versions so I don't see any reason why it shouldn't.

Please mail bug reports and comments to guy-ezmlm@rucus.ru.ac.za

X. Acknowledgements
===================
*  Keith Burdis (keith@rucus.ru.ac.za) - For constantly bugging me and
   ensuring that I actually got round to writing some code :)
*  Bryan Kilian (bryan@rucus.ru.ac.za) and the administrators of the
   Litestep mailing list - For helping beta test and putting up with me
   pestering them.
*  Several societies at Rhodes. For switching to my web interface and so
   unknowingly helping to beta test it.
*  Barry Irwin (bvi@moria.org) - For trusting me and moving the Grahamstown
   Foundation over to qmail and ezmlm - yet another beta tester :-)
*  David Summers (david@summersoft.fay.ar.us) - For some ideas. And for
   offering to make up an RPM version. I hope the offer still exists for
   version 2.0 :-)
*  Glen Stewart (glen_stewart@associate.com) - For a multitude of ideas.
*  Fred Lindberg (lindberg@id.wustl.edu) for his useful posts to the 
   mailing list, suggestions, help, etc
*  Galen Johnson (gjohnson@totalsports.net) - For some ideas on bugfixes.

XI. Availability
=================
The latest version of ezmlm-web will always be available on;
ftp://rucus.ru.ac.za/pub/mail/ezmlm/

More information on ezmlm-web and developments to ezmlm-web can be found at;
http://rucus.ru.ac.za/~guy/ezmlm/