[Mailman-Developers] Avoiding setgid Binaries and Directories
Mark D. Roth
roth at feep.net
Mon Apr 12 01:38:48 EDT 2004
I've just recently started playing around with Mailman, so I apologize
in advance if this is an FAQ, or if I'm sending this to the wrong
forum, etc. Any etiquette corrections would be greatly appeciated. :)
I think I've found a way to install Mailman without the need for
setgid files and directories, but I'd like to get a sanity check from
people who are more familiar with the code than I am, just to make
sure that there aren't any security implications in how I have things
configured.
Here's how I've set things up. Basicly, I solved the problem by using
external mechanisms to ensure that the Mailman binaries are always
executed as user and group mailman. For the CGI scripts, there is
suEXEC. For the mail interface, there is the Procmail MTA handler,
which was posted on SourceForge:
http://sourceforge.net/tracker/index.php?func=detail&aid=723918&group_id=103&atid=300103
Because these external mechanisms take care of all of the uid/gid
changing, I built Mailman with "--with-mail-gid=mailman
--with-cgi-gid=mailman".
Now here's the complication. I'm trying to build a distributable
binary package of Mailman, and I'd like it to be usable in different
environments. In particular, I'd like to use the same package in my
environment, where I avoid the setgid bit as described above, as well
as in other environments, which may still use the normal setgid
approach. However, if I build with "--with-mail-gid=mailman
--with-cgi-gid=mailman", then the package isn't really usable in other
environments, since most mailers and web servers will not be invoking
the binaries as group "mailman". I would prefer to build the package
with something like "--with-mail-gid=mailnull --with-cgi-gid=httpd",
which is more likely to be useful on other people's systems.
To solve this problem, I propose that the wrapper code be modified to
allow execution by MAILMAN_GROUP in addition to the "--with-mail-gid"
and "--with-cgi-gid" values. My thought is that this shouldn't
present a security risk, since the setregid() call wouldn't give the
caller any permissions that it doesn't already have. In fact, there's
no point in calling setregid() to begin with in this case, since it's
already running as group MAILMAN_GROUP; the wrapper can simply exec
the binary.
So, my question is, are there any security issues I haven't thought of
with respect to the configuration I'm using in my environment? If
not, does anyone see any problem with modifying the wrapper code as I
suggest?
If this seems like a reasonable change, I'd be happy to submit a
patch.
Thanks in advance for your feedback!
--
Mark D. Roth <roth at feep.net>
http://www.feep.net/~roth/
More information about the Mailman-Developers
mailing list