[Mailman-Users] Mailman file and directory permissions

John Dennis jdennis at redhat.com
Tue Dec 14 18:18:44 CET 2004 

On Mon, 2004-12-13 at 19:05, Matt Ruzicka wrote:
> My company is running and testing Mailman to replace majordomo (finally)
> in a FreeBSD environment.  From the README.BSD file I see that it is
> possible to io install without turning on the setgid bit on directories.
> However, even with a 'make DIRSETGID=: install' a number of executable
> files are installed with the setgid bit.  The fact that these same files,
> as well as pretty much everything else in the mailman directory, are set
> to allow world read and execute makes us very nervous, especially since
> this is a shared environment.  Are we missing something or is this not a
> recipe for anyone being able to run these commands?
> 
> I realize that most things are password protected as well and it appears
> only the cgi-files are setgid, but we were toying with this idea and were
> wondering how bad of an idea it is.
> 
>   chmod -R go-rwxs /u/mailman
>   chmod 4550 /u/mailman/cgi-bin/*
>   chown -R mailman:webgroup /u/mailman/cgi-bin
>   chmod 750 /u/mailman/cgi-bin
>   chmod 644 /u/mailman/data/*
>   chmod 711 /u/mailman
>   chmod 711 /u/mailman/data/
> 
> 
> We also did this, but are not sure they are necessary:
> 
>   chmod 711 /u/mailman/mail
>   chmod 711 /u/mailman/mail/mailman
> 
> We figure we would rather have the web server running these scripts as
> mailman instead of allowing anyone to execute all of these scripts.
> 
> After we made these changes in the test environment everything seems to be
> functioning normal from the outside perspective.
> 
> If this is a horrible idea, why?  And if this is highly discouraged, has
> anyone else done anything to limit permissions further from the default
> install to disallow prying eyes and curios fingers?

The reason why DIRSETGID is different on BSD is because of "directory
inheritance" of the setuid and setgid bits, this is explained here:
http://www.linuxpowered.com/html/editorials/file.html

A few months back I went over the installation process with a fine tooth
comb and noted some parts of the installation relied on this inheritance
property which is system specific. I cleaned some of this up to make it
explicit and system agnostic, although the patch was sent to the
developers list I didn't add it to the SourceForge patch area which I
need to do so its in the official queue.

I doubt you will run into problems with the world execute bit set,
Mailman's security is group based. This is the point of having those
executables be setgid. I believe you will discover all the executables
you are concerned about check the group (src/common.c) of the user
executing them. If it the group is not valid (a build time option) then
the executable exits with a fatal error, otherwise the command runs with
an effective group id (hence the setgid bit) of mailman (or whatever it
was defined to be a configure/build time). Thus only defined groups are
allowed to execute the command and when it executes its only executes as
group mailman.
-- 
John Dennis <jdennis at redhat.com>

More information about the Mailman-Users mailing list