[Mailman-Users] [bug in mm2.1] mailmanctl doesn't set groups.
Richard Barrett
r.barrett at openinfo.co.uk
Tue Jul 1 19:11:21 CEST 2003
At 16:51 01/07/2003, Jonas Meurer wrote:
>*** PGP Signature Status: unknown
>*** Signer: Unknown, Key ID xE25F2102
>*** Signed: 01/07/2003 16:51:57
>*** Verified: 01/07/2003 17:56:42
>*** BEGIN PGP VERIFIED MESSAGE ***
>
>On 01/07/2003 Richard Barrett wrote:
> > >the mailmanctl script doesn't set groups.
> > >so when i run mailmanctl as root, i become list:list but still have the
> > >groups that root has. that's a grave security bug.
> >
> > I think not. I believe you are mistaking the meaning of the output from
> the
> > id command you are running. The group affiliations of the process do not
> > mean that the uid in the output has privileges of those groups. Just try
> > getting the code in the ArchRunner.py to modify a file owned by root with
> > no write privileges for other when mailmanctl has ben started by root to
> > see what I mean. The process will only have the privileges associated with
> > the uid/euid and gid/egid.
>
>ok, i believe that,
You should not have because your first assessment looks to be correct. I
tried it for real and found you were right.
At a quick glance, it appears as though your proposed bug fix is the only
convenient way of resolving using Python.
Try again to put the fix into sourceforge bug collector for MM.
>but it's still a bug. add user list (running
>mailman) to a group (i.e. testgroup), and try to modify a file owned
>by someone.testgroup with write privileges only for group (and user if
>you want).
>that's exactly why i found that bug. the user (list) that runs my external
>archiver (lurker) has to be in group lurker.
>
>bye
> mejo
>
>ps: i'm not subscribed to mailman-developers
>
>--
>Efficiency and progess is ours one more
>Now that we have the Neutron bomb
>It's nice and quick and clean and gets things done
>Kill kill kill kill kill the poor tonight
>
>
>*** END PGP VERIFIED MESSAGE ***
------------------------------------------------------------------------------
Richard Barrett http://www.openinfo.co.uk
More information about the Mailman-Users
mailing list