[ mailman-Bugs-1022762 ] common.c is using getgid() instead of getegid
Bugs item #1022762, was opened at 2004-09-05 17:40 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1022762&group_id=103 Category: security/privacy Group: None Status: Open Resolution: None Priority: 5 Submitted By: Geoff Mottram (gmottram) Assigned to: Nobody/Anonymous (nobody) Summary: common.c is using getgid() instead of getegid Initial Comment: The mailman wrapper that is used with its set group id set is checking the real group id in src/common.c (line 121). This will only work if mailman is configured to use the group "mail" as that is the only time the real and effective group of mailman will match the configuration. Any programs run by sendmail are real user id of "mail" and real group id of "mail". When using the set group id or set user id flags on an executable file, the program's real group and user values do not change, only their effective group and user id's. I am running Fedora core release 1 (kernel version 2.4.22), mailman version 2.1.5 and sendmail 8.12.10 with "smrsh". The fix is to change line 121 in src/common.c from: mygid = getgid() to mygid = getegid() With this change mailman can be installed as group "mailman" (or any other group besides "mail") instead of group "mail" (which is probably a security issue). Best, Geoff Mottram ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1022762&group_id=103
participants (1)
-
SourceForge.net