[Mailman-Users] [bug in mm2.1] mailmanctl doesn't set groups.
Jonas Meurer
jonas at freesources.org
Tue Jul 1 17:51:57 CEST 2003
On 01/07/2003 Richard Barrett wrote:
> >the mailmanctl script doesn't set groups.
> >so when i run mailmanctl as root, i become list:list but still have the
> >groups that root has. that's a grave security bug.
>
> I think not. I believe you are mistaking the meaning of the output from the
> id command you are running. The group affiliations of the process do not
> mean that the uid in the output has privileges of those groups. Just try
> getting the code in the ArchRunner.py to modify a file owned by root with
> no write privileges for other when mailmanctl has ben started by root to
> see what I mean. The process will only have the privileges associated with
> the uid/euid and gid/egid.
ok, i believe that, but it's still a bug. add user list (running
mailman) to a group (i.e. testgroup), and try to modify a file owned
by someone.testgroup with write privileges only for group (and user if
you want).
that's exactly why i found that bug. the user (list) that runs my external
archiver (lurker) has to be in group lurker.
bye
mejo
ps: i'm not subscribed to mailman-developers
--
Efficiency and progess is ours one more
Now that we have the Neutron bomb
It's nice and quick and clean and gets things done
Kill kill kill kill kill the poor tonight
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/mailman-users/attachments/20030701/16261c25/attachment.pgp
More information about the Mailman-Users
mailing list