[Mailman-Users] Long Email Addressess

Thu Mar 4 00:48:10 CET 1999

FYI: I know next to nothing about Python, some I'm not able to
specifically scan the code (yet) looking for the big obvious security
holes...but I did run across something interesting.

I tried a very simple/stupid buffer overflow test.  What would happen if I
tried to subscribe a long email address?  My test case was only about 300
characters...I'll probably try some really long usernames later but in any
case I found that sendmail would choke on the email address I entered
(prescan: token too long) yet mailman would think that the addy was
sucessfully subscribed.

djdjddddddddddddddddddddddddjjdjdjdjdjddjddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddididididididididiididididididddddddddddddddddddddd
idiidididididididididididididididididididididididddddddddddddddddddddddddddddd
ddddddddddddddddddiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
iiiii at nterprise.net has been successfully subscribed to Test.

No crashes, no obvious buffer overflow, but methinks that mailman ought to
expect *and check for* whatever the RFC defined maximum email address is
(or ought to be able to pick it out of the local sendmail config).

At the moment, I have two goals in mind that I want to figure out how to
do in mailman...and when I do I'll try to create a FAQ entry/HOWTO:

1) I want to figure out how to get mailman to work with virtual hosts.
Should be similar to doing this with Majordomo.  I don't want to install
copies of mailman in every virtual domain directory...instead I want a
different "cf" file for each domain, and a switch to each of the bin/cgi
programs that will read the appropriate cf file.  (This functionality
might already be there...I just unpacked/installed mailman for the first
time today).

2) I want to run mailman through cgiwrap as a user other than the
webserver.  The docs suggest that running it as user mailman isn't a good
idea either because that would give everyone access to the private
archives, but I really don't like running it with webserver privs either.
For that matter, I don't like running the wrapper with daemon privs (call
me super paranoid).  I'd rather run the wrapper and CGI's as some other
user/group...one with absolutely no other privs than what is necessary to
run mailman.

Other than these minor nits, mailman seems to beat the pants off any other
MLM I've looked at!  This is great stuff!

-- 
John-David Childs (JC612)	Enterprise Internet Solutions
Systems Administration          http://www.nterprise.net
  & Network Engineering         8707 E. Florida Ave #814 Denver, CO 80231
"Virtual" means never knowing where your next byte is coming from.