[Mailman-Developers] [ mailman-Bugs-474616 ] SECURITY: Pipermail permissions problem

noreply@sourceforge.net noreply@sourceforge.net
Wed, 05 Jun 2002 02:00:17 -0700

Bugs item #474616, was opened at 2001-10-24 22:35
You can respond by visiting: 

Category: Pipermail
Group: None
Status: Closed
Resolution: Wont Fix
Priority: 8
Submitted By: H. Peter Anvin (hpa)
Assigned to: Nobody/Anonymous (nobody)
Summary: SECURITY: Pipermail permissions problem

Initial Comment:
$mailman_root/archive/private is o+x in the default
installation.  This allows anyone with local access to
the machine to read the archives of private mailing
lists, as long as they know the (trivial) structure of
the files beneath this directory.

I have verified that changing this directory to o-x
causes *all* pipermail pages to become inaccessible, so
that does not resolve the problem.

There presumably needs to be a setgid program involved
which can verify that the user is authenticated and
give access to the archives if appropriate; then that
directory can be made o-x.


Comment By: Arne Georg Gleditsch (argggh)
Date: 2002-06-05 11:00

Logged In: YES 

I'm not comfortable with this remaining unfixed.  Is there
any reason 
it couldn't be handled by doing 

--- Mailman/Archiver/Archiver.py        15 Feb 2002 16:28:03
-0000      1.1
+++ Mailman/Archiver/Archiver.py        5 Jun 2002 08:54:18
@@ -250,8 +250,12 @@
                                self._internal_name + '.mbox')
         privmbox = self.archive_directory + '.mbox'
         if self.archive_private:
+            os.chmod(privdir, 02770)
+            os.chmod(privmbox, 02770)
+            os.chmod(privdir, 02775)
+            os.chmod(privmbox, 02775)
             makelink(privdir, pubdir)
             makelink(privmbox, pubmbox)

or something?


Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-04-12 00:40

Logged In: YES 

I'm not inclined to fix this, since this arrangement is
crucial to the web security of private archives.  Since
Mailman is usually run on mail and/or web servers that have
very limited access anyway, I don't consider this an
important vulnerability.


You can respond by visiting: