mailman group membership in /etc/group
What are the implications for mailman, functionally, of having the web server user, www-data as a member of the mailman group in /etc/group? I note that I've done this for _some_ reason on a couple of installs, and I've assumed that there were at least some security implications, but it's never been a problem. I've done a bit of googling for this and can't find a reference on it, so I thought I'd ask :)
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 12/03/2014 09:34 AM, Lindsay Haisley wrote:
The installation manual at <http://www.list.org/mailman-install/node10.html> contains the following:
Warning: You want to be very sure that the user id under which your CGI scripts run is not in the mailman group you created above, otherwise private archives will be accessible to anyone.
That warning pre-dates my involvement with Mailman - it was in the Mailman 1.0 INSTALL document. I've never investigated whether or exactly how one might access private archives under this circumstance, but you've been warned.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 12/03/2014 09:34 AM, Lindsay Haisley wrote:
The installation manual at <http://www.list.org/mailman-install/node10.html> contains the following:
Warning: You want to be very sure that the user id under which your CGI scripts run is not in the mailman group you created above, otherwise private archives will be accessible to anyone.
That warning pre-dates my involvement with Mailman - it was in the Mailman 1.0 INSTALL document. I've never investigated whether or exactly how one might access private archives under this circumstance, but you've been warned.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Lindsay Haisley -
Mark Sapiro