Re: [Mailman-Users] Permissions problem accessing commands via php
I am guessing that this is a bad idea but I want to ask anyway. PHP runs as the Apache user which is www. I have added www to the mailman group and this works. I have since removed it but wanted to see whether that created too much of a security risk? Thanks - Dave On Dec 10, 2005, at 12:38 PM, Mark Sapiro wrote: - Original Message --- Dave B wrote: Does it use the umask setting? If so, it should be setting permissions to 644 (umask is 022) instead of the 660 that it sets. It uses umask, but it sets it to 007 before creating the new file and restores it afterword, because it specifically doesn't want the file readable by 'other' as it contains plain text passwords. BTW, 644 isn't good. It should be 664 (umask = 002) to do what you want as files should be group writable, but it isn't critical in the case of config.pck because it's always a new file that's written - the old one is only read. Is there a way to change what it uses as standard permissions? Only by changing the code in MailList.py. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Permissions problem accessing commands via php
Dave B wrote: I am guessing that this is a bad idea but I want to ask anyway. PHP runs as the Apache user which is www. I have added www to the mailman group and this works. I have since removed it but wanted to see whether that created too much of a security risk? It allows apache to access Mailman files without going through the Mailman cgi-bin wrappers. Of course, by making permissions = 664 on config.pck, you allow even greater access to those files. The problem is that if someone can craft a URL or XSS attack or ? to retrieve a config.pck file directly, they can get the membership list and the plain text member passwords. Also, they can do something similar to get private archive files. A perhaps better way to do this since you said in the OP that you are the only one with shell access to the server, is to make the bin/ scripts you want to use group mailman and SETGID. Then they should work no matter how they are run. The best way is to do as John Dennis suggested and create a SETGID wrapper to be executed by your PHP scripts. The wrapper would check to insure it was properly invoked before calling the appropriate bin/* script. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Permissions problem accessing commands via php
Does it use the umask setting? If so, it should be setting permissions to 644 (umask is 022) instead of the 660 that it sets. Is there a way to change what it uses as standard permissions? Thanks - Dave On Dec 9, 2005, at 11:48 PM, Mark Sapiro wrote: Dave B wrote: This works fine except that for some reason the permissions will sometimes revert back to 660 and then the script won't work. Only one config.pck file has to have 660 permissions for the script not to work. When I change that particular file back to 664 - the script works again. ANy ideas on what would cause the permissions to change back to 660? The mail list Save() method effectively moves the current config.pck to config.pck.last and saves a new one (it's more complicated than this for safety, but this is the effect). Thus, every time any list attribute is changed and saved (i.e. whenever a post is processed or the admin or admindb interfaces are changed or a member changes options, etc., etc.), a new config.pck is created with 'standard' permissions. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Permissions problem accessing commands via php
- Original Message --- Dave B wrote: Does it use the umask setting? If so, it should be setting permissions to 644 (umask is 022) instead of the 660 that it sets. It uses umask, but it sets it to 007 before creating the new file and restores it afterword, because it specifically doesn't want the file readable by 'other' as it contains plain text passwords. BTW, 644 isn't good. It should be 664 (umask = 002) to do what you want as files should be group writable, but it isn't critical in the case of config.pck because it's always a new file that's written - the old one is only read. Is there a way to change what it uses as standard permissions? Only by changing the code in MailList.py. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Permissions problem accessing commands via php
I am trying to create some php forms that use the shell_exec function to run some of the Mailman command line commands. i.e. I have a script that lets an admin user enter an email address and then uses the find_member script to return all lists that email address is in. To do this I had to set the permissions on the config.pck files to 664 (I am the only one with shell access to the server). This works fine except that for some reason the permissions will sometimes revert back to 660 and then the script won't work. Only one config.pck file has to have 660 permissions for the script not to work. When I change that particular file back to 664 - the script works again. ANy ideas on what would cause the permissions to change back to 660? I would also like to be able to add members or remove members etc using this method but I get permissions errors even if I change the permissions to 666 on all the files in particular list directory. Any ideas on what I would need to do to be able to do this? Thanks for any help on this one. Dave Bevis -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Permissions problem accessing commands via php
On Fri, 2005-12-09 at 12:46 -0600, Dave B wrote: I am trying to create some php forms that use the shell_exec function to run some of the Mailman command line commands. i.e. I have a script that lets an admin user enter an email address and then uses the find_member script to return all lists that email address is in. To do this I had to set the permissions on the config.pck files to 664 (I am the only one with shell access to the server). This works fine except that for some reason the permissions will sometimes revert back to 660 and then the script won't work. Only one config.pck file has to have 660 permissions for the script not to work. When I change that particular file back to 664 - the script works again. ANy ideas on what would cause the permissions to change back to 660? I would also like to be able to add members or remove members etc using this method but I get permissions errors even if I change the permissions to 666 on all the files in particular list directory. Any ideas on what I would need to do to be able to do this? Thanks for any help on this one. Essentially you have two choices: 1) The php script executes as a member of the mailman group 2) The php script invokes a wrapper just like the CGI does. This is preferred for a variety of security reasons. It would not be hard to create a new wrapper from the existing wrapper src code. -- John Dennis [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Permissions problem accessing commands via php
On Fri, 9 Dec 2005, John Dennis wrote: 2) The php script invokes a wrapper just like the CGI does. This is preferred for a variety of security reasons. It would not be hard to create a new wrapper from the existing wrapper src code. I'm giving serious thought to writing a mailman 'server', sort of like an SQL server process. It would let a cgi authenticate, then issue commands. Today it could just call the CLI programs, someday -- it could be the actual way MailMan does its work, with the other programs calling it. Drifting off topic . . . I've done mostly thinking about this because I don't know a lick of python, but it seems to me MailMan and the developers might benefit from breaking it up into more of a frontend/backend system. A 'server' process that accepts messages, sends them from the queue, manages users, etc. Then the web stuff would be one front end to this. There could then be other front ends -- integrating with packages like PostNuke, shopping carts, etc. The Unix way is small programs that do one job well. :-) Am I the only one who thinks this is a good idea ? I'm willing to help how I can, and have zero interest in starting a fork. :-) -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Permissions problem accessing commands via php
Dave B wrote: This works fine except that for some reason the permissions will sometimes revert back to 660 and then the script won't work. Only one config.pck file has to have 660 permissions for the script not to work. When I change that particular file back to 664 - the script works again. ANy ideas on what would cause the permissions to change back to 660? The mail list Save() method effectively moves the current config.pck to config.pck.last and saves a new one (it's more complicated than this for safety, but this is the effect). Thus, every time any list attribute is changed and saved (i.e. whenever a post is processed or the admin or admindb interfaces are changed or a member changes options, etc., etc.), a new config.pck is created with 'standard' permissions. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
