On 2/4/07, vancleef@lostwells.net <vancleef@lostwells.net> wrote:

The mailman installation manual seems to imply that the mailman account should be added with no ability to log in to it. I translated what appeared to me to be the sense of the line given to Solaris. As with most daemon accounts..

However, after having gone through several fire drills of resetting file owner from root to mailman, I've set the account up with the directory /usr/local/mailman and "NP" in the /etc/shadow file. This allows me to su - mailman from root, but not to get a login from anywhere else. This is the same setup as is used for other Solaris "blind" accounts. I don't see any reason that this would cause alarm. For caveat, see below...

Is there any real reason not to use the account this way? I'm aware that Mailman security is based on group identity, not user, but external programs such as htdig running under cron need to have uid mailman in files it writes to or to be set up as a mailman-uid program. My personal preference is to set the needed uid's in the mailman runtime tree. The main concern with this type of setup is that someone might be able to exploit a vulnerability in mailman or htdig or whatever to obtain a login shell for the users they run as. If that login shell is /bin/false, well, they can just do whatever they want (i.e., nothing at all) with that. If it's bash, well- that's another story altogether.

Please note: The mailman user shouldn't *need* a valid shell for programs to be running with its privileges. If there's not a reason you need to login (either via su or something else), you're probably better off giving mailman an invalid shell.

--

• Patrick Bogen