Avoiding setgid Binaries and Directories
I've just recently started playing around with Mailman, so I apologize in advance if this is an FAQ, or if I'm sending this to the wrong forum, etc. Any etiquette corrections would be greatly appeciated. :)
I think I've found a way to install Mailman without the need for setgid files and directories, but I'd like to get a sanity check from people who are more familiar with the code than I am, just to make sure that there aren't any security implications in how I have things configured.
Here's how I've set things up. Basicly, I solved the problem by using external mechanisms to ensure that the Mailman binaries are always executed as user and group mailman. For the CGI scripts, there is suEXEC. For the mail interface, there is the Procmail MTA handler, which was posted on SourceForge:
http://sourceforge.net/tracker/index.php?func=detail&aid=723918&group_id=103&atid=300103
Because these external mechanisms take care of all of the uid/gid changing, I built Mailman with "--with-mail-gid=mailman --with-cgi-gid=mailman".
Now here's the complication. I'm trying to build a distributable binary package of Mailman, and I'd like it to be usable in different environments. In particular, I'd like to use the same package in my environment, where I avoid the setgid bit as described above, as well as in other environments, which may still use the normal setgid approach. However, if I build with "--with-mail-gid=mailman --with-cgi-gid=mailman", then the package isn't really usable in other environments, since most mailers and web servers will not be invoking the binaries as group "mailman". I would prefer to build the package with something like "--with-mail-gid=mailnull --with-cgi-gid=httpd", which is more likely to be useful on other people's systems.
To solve this problem, I propose that the wrapper code be modified to allow execution by MAILMAN_GROUP in addition to the "--with-mail-gid" and "--with-cgi-gid" values. My thought is that this shouldn't present a security risk, since the setregid() call wouldn't give the caller any permissions that it doesn't already have. In fact, there's no point in calling setregid() to begin with in this case, since it's already running as group MAILMAN_GROUP; the wrapper can simply exec the binary.
So, my question is, are there any security issues I haven't thought of with respect to the configuration I'm using in my environment? If not, does anyone see any problem with modifying the wrapper code as I suggest?
If this seems like a reasonable change, I'd be happy to submit a patch.
Thanks in advance for your feedback!
-- Mark D. Roth <roth@feep.net> http://www.feep.net/~roth/
participants (1)
-
Mark D. Roth