On Tue, 2005-07-12 at 17:34 -0400, Poster wrote: > Ok, according to the docs, if the account that runs CGI scripts is a > member of the mailman group, then private archives can be seen by > everyone. This is a bad thing. However, in order for apache to update > files in the mailman paths (like locks and such), these files have to > be writable by the CGI user. So either the CGI user is a member of the > mailman group, or the directory is left readable, writable, and > executable by members not of the group! Hopefully, I'm missing > something. Any ideas?
I think you might be missing something. The account that runs CGI scripts is *NOT* a member of the mailman group, rather the cgi wrapper transitions to the mailman group via setgid, thus its only mailman operations that are executing as group mailman. In addition private mailman archives are authenticated by mailman. I don't think the problem you're concerned about exists, unless perhaps I've misunderstood you. You might find this FAQ helpful: 6.16. Understanding group mismatch errors - how mailman implements security http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq06.016.htp -- John Dennis <[EMAIL PROTECTED]> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
