On Wed, 18 Jul 2012, Luca Gibelli wrote: > If you run fix_perms -f as you suggested, the dir is chgrp'ed to "list" > and then indeed you need to add the user "www-data" to the group "list" > to make the private archive work.
Hum yes, but that’s how upstream does it. > This means that any (php/perl/python) script running with the webserver > privileges can potentially read/write to /var/lib/mailman/data . Hrm. So does the other way: mailman can read/write apache’s stuff. It may not be quite that big an attack surface, but… *shrug* I think fix_perms -f should be run in postinst, once. And if we want to adopt your way round, fix_perms must be fixed… gah. Thijs, any idea? Thanks, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org