Re: [Mailman-Users] [bug in mm2.1] mailmanctl doesn't set groups.
At 13:24 01/07/2003, Jonas Meurer wrote:
*** PGP Signature Status: unknown *** Signer: Unknown, Key ID xE25F2102 *** Signed: 01/07/2003 13:24:59 *** Verified: 01/07/2003 15:13:06 *** BEGIN PGP VERIFIED MESSAGE ***
hello, the mailmanctl script doesn't set groups. so when i run mailmanctl as root, i become list:list but still have the groups that root has. that's a grave security bug.
I think not. I believe you are mistaking the meaning of the output from the id command you are running. The group affiliations of the process do not mean that the uid in the output has privileges of those groups. Just try getting the code in the ArchRunner.py to modify a file owned by root with no write privileges for other when mailmanctl has ben started by root to see what I mean. The process will only have the privileges associated with the uid/euid and gid/egid.
a possible (and working) patch is attached.
bye mejo
ps: since the bug-reporting system at sourceforge doesn't work atm, i report the bug to the two mailman lists.
-- Efficiency and progess is ours one more Now that we have the Neutron bomb It's nice and quick and clean and gets things done Kill kill kill kill kill the poor tonight
mailmanctl.patch
*** END PGP VERIFIED MESSAGE ***
, <mailto:mailman-users-request@python.org?subject=unsubscribe> List-Archive: <http://mail.python.org/pipermail/mailman-users> List-Post: <mailto:mailman-users@python.org> List-Help: <mailto:mailman-users-request@python.org?subject=help> List-Subscribe: <http://mail.python.org/mailman/listinfo/mailman-users>, <mailto:mailman-users-request@python.org?subject=subscribe> Sender: mailman-users-bounces+r.barrett=openinfo.co.uk@python.org
Richard Barrett http://www.openinfo.co.uk
On 01/07/2003 Richard Barrett wrote:
the mailmanctl script doesn't set groups. so when i run mailmanctl as root, i become list:list but still have the groups that root has. that's a grave security bug.
I think not. I believe you are mistaking the meaning of the output from the id command you are running. The group affiliations of the process do not mean that the uid in the output has privileges of those groups. Just try getting the code in the ArchRunner.py to modify a file owned by root with no write privileges for other when mailmanctl has ben started by root to see what I mean. The process will only have the privileges associated with the uid/euid and gid/egid.
ok, i believe that, but it's still a bug. add user list (running mailman) to a group (i.e. testgroup), and try to modify a file owned by someone.testgroup with write privileges only for group (and user if you want). that's exactly why i found that bug. the user (list) that runs my external archiver (lurker) has to be in group lurker.
bye mejo
ps: i'm not subscribed to mailman-developers
-- Efficiency and progess is ours one more Now that we have the Neutron bomb It's nice and quick and clean and gets things done Kill kill kill kill kill the poor tonight
participants (2)
-
Jonas Meurer -
Richard Barrett