[Mailman-Users] CGI account shouldn't be part of mailman group, but...
Ok, according to the docs, if the account that runs CGI scripts is a member of the mailman group, then private archives can be seen by everyone. This is a bad thing. However, in order for apache to update files in the mailman paths (like locks and such), these files have to be writable by the CGI user. So either the CGI user is a member of the mailman group, or the directory is left readable, writable, and executable by members not of the group! Hopefully, I'm missing something. Any ideas? Thanks, ~Poster -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] CGI account shouldn't be part of mailman group, but...
On Tue, 2005-07-12 at 17:34 -0400, Poster wrote: Ok, according to the docs, if the account that runs CGI scripts is a member of the mailman group, then private archives can be seen by everyone. This is a bad thing. However, in order for apache to update files in the mailman paths (like locks and such), these files have to be writable by the CGI user. So either the CGI user is a member of the mailman group, or the directory is left readable, writable, and executable by members not of the group! Hopefully, I'm missing something. Any ideas? I think you might be missing something. The account that runs CGI scripts is *NOT* a member of the mailman group, rather the cgi wrapper transitions to the mailman group via setgid, thus its only mailman operations that are executing as group mailman. In addition private mailman archives are authenticated by mailman. I don't think the problem you're concerned about exists, unless perhaps I've misunderstood you. You might find this FAQ helpful: 6.16. Understanding group mismatch errors - how mailman implements security http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq06.016.htp -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] CGI account shouldn't be part of mailman group, but...
Just to expand a bit on something I should have elaborated: There is exactly one member of the mailman group, the user mailman. When the MTA or web server want to perform a mailman operation it invokes what is called a wrapper. The wrappers are group mailman and are setgid, this means the wrapper executes as the group mailman even if the MTA or web server invoked it. The wrapper performs a security check on the process that invoked it to assure only permitted users have permission to invoke the wrapper, only the MTA is allowed to invoke the mail wrapper, only the web server is allowed to invoke the CGI wrapper. -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
