Re: [Mailman-Users] CGI account shouldn't be part ofmailman group, but...
John Dennis said: Just to expand a bit on something I should have elaborated: There is exactly one member of the mailman group, the user mailman. When the MTA or web server want to perform a mailman operation it invokes what is called a wrapper. The wrappers are group mailman and are setgid, this means the wrapper executes as the group mailman even if the MTA or web server invoked it. The wrapper performs a security check on the process that invoked it to assure only permitted users have permission to invoke the wrapper, only the MTA is allowed to invoke the mail wrapper, only the web server is allowed to invoke the CGI wrapper. OK. If I'm following this correctly, Mailman is run as setgid Mailman, so whatever calls it acts as though it were in the Mailman group. To prevent abuse of this, Mailman allows only those who pass its security check to call it. I'm running SUSE, which uses a mailman-cgi-gid file, instead of compiling this option into Mailman itself. If I've got this right, Mailman compares this file with the GID of the process calling it. If they match, then the process goes ahead. My mailman-cgi-gid file contains one number -- 8, which is the user nobody. In order to prevent Mailman from crashing with horrendous permissions problems on locks and such, I had to change many files to be owned by nobody. I suppose that nobody doesn't have to be part of the mailman group, and that's where I went off the path? Thanks for the info! ~Poster -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] CGI account shouldn't be part ofmailman group, but...
On Tue, 2005-07-12 at 19:20 -0400, Poster wrote: OK. If I'm following this correctly, Mailman is run as setgid Mailman, so whatever calls it acts as though it were in the Mailman group. To prevent abuse of this, Mailman allows only those who pass its security check to call it. I'm running SUSE, which uses a mailman-cgi-gid file, instead of compiling this option into Mailman itself. If I've got this right, Mailman compares this file with the GID of the process calling it. If they match, then the process goes ahead. My mailman-cgi-gid file contains one number -- 8, which is the user nobody. In order to prevent Mailman from crashing with horrendous permissions problems on locks and such, I had to change many files to be owned by nobody. I can't speak for SuSE, but I think your mailman-cgi-gid file should have been modified to have the uid that apache (or whatever httpd server you're running) runs as. You shouldn't need to modify the owner/group/permissions of any of the mailman files (or any other files). But like I said I'm not a SuSE expert they may have done something different, but my expectation is they replaced the configure option --with-cgi-gid with a file read of malman-cgi-gid so its not hardcoded into the wrapper. I suppose that nobody doesn't have to be part of the mailman group, and that's where I went off the path? Yes, I believe that would be a mistake and you may need to go back and undo those file changes :-( mailman_install_dir/bin/fix_perms might be helpful, the -f option will fix the files. -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp