Dave B wrote: >I am guessing that this is a bad idea but I want to ask anyway. PHP >runs as the Apache user which is www. I have added www to the mailman >group and this works. I have since removed it but wanted to see whether >that created too much of a security risk?
It allows apache to access Mailman files without going through the Mailman cgi-bin wrappers. Of course, by making permissions = 664 on config.pck, you allow even greater access to those files. The problem is that if someone can craft a URL or XSS attack or ? to retrieve a config.pck file directly, they can get the membership list and the plain text member passwords. Also, they can do something similar to get private archive files. A perhaps better way to do this since you said in the OP that you are the only one with shell access to the server, is to make the bin/ scripts you want to use group mailman and SETGID. Then they should work no matter how they are run. The best way is to do as John Dennis suggested and create a SETGID wrapper to be executed by your PHP scripts. The wrapper would check to insure it was properly invoked before calling the appropriate bin/* script. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
