[Mailman-Developers] [ mailman-Bugs-585229 ] opening holes by changing permissions?

noreply@sourceforge.net noreply@sourceforge.net
Thu, 25 Jul 2002 18:19:34 -0700 

Bugs item #585229, was opened at 2002-07-22 23:03
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=585229&group_id=103

Category: configuring/installing
Group: 2.1 beta
>Status: Closed
Resolution: None
Priority: 5
Submitted By: Paul Marshall (paulmarshll)
Assigned to: Nobody/Anonymous (nobody)
Summary: opening holes by changing permissions?

Initial Comment:
I was having problems adding a list in Mailman 2.1beta 
via the web interface, it was giving me an error regarding 
permissions to the mailman/data/aliases.db file.  

This is the error I got:

...
File "/var/mailman/Mailman/MTA/Postfix.py", line 46, in 
_update_maps
raise RuntimeError, msg % (acmd, status, errstr)
RuntimeError: command failed: /usr/sbin/postalias 
/var/mailman/data/aliases (status: 1, Operation not 
permitted)


To fix this I changed the permissions on this file so 
apache could write to it.

chmod a+w aliases.db

This did fix the problem of creating and deleting lists via 
the web interface.

Does anyone know if this would open up any security 
holes?

Is there another way to fix the permissions problem that 
is more logical?

Thanks for your help.

Paul Marshall

----------------------------------------------------------------------

>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-07-25 21:19

Message:
Logged In: YES 
user_id=12800

Cool, thanks, I'm closing this bug report.

----------------------------------------------------------------------

Comment By: Paul Marshall (paulmarshll)
Date: 2002-07-24 11:44

Message:
Logged In: YES 
user_id=582441

Thanks for the help bwarsaw, its working now and I don't have 
a+w on aliases.db

Paul

----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-07-24 11:28

Message:
Logged In: YES 
user_id=12800

You shouldn't need to do this if you've followed the
directions in README.POSTFIX.  The key issue is that aliases
and aliases.db must be group owned by `mailman' and must be
group writeable.  Since the cgi scripts are setgid mailman
Apache should have no problems writing the file.  And since
Postfix filter prog is also setgid mailman, it should have
no problems either.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=585229&group_id=103