[Mailman-Users] CGI account shouldn't be part ofmailman group, but...

John Dennis jdennis at redhat.com
Wed Jul 13 01:46:07 CEST 2005


On Tue, 2005-07-12 at 19:20 -0400, Poster wrote:
> OK. If I'm following this correctly, Mailman is run as setgid Mailman,
> so whatever calls it acts as though it were in the Mailman group. To
> prevent abuse of this, Mailman allows only those who pass its security
> check to call it.
> 
> I'm running SUSE, which uses a mailman-cgi-gid file, instead of
> compiling this option into Mailman itself. If I've got this right,
> Mailman compares this file with the GID of the process calling it. If
> they match, then the process goes ahead.
> 
> My mailman-cgi-gid file contains one number -- 8, which is the user
> "nobody". In order to prevent Mailman from crashing with horrendous
> permissions problems on locks and such, I had to change many files to
> be owned by nobody.

I can't speak for SuSE, but I think your mailman-cgi-gid file should
have been modified to have the uid that apache (or whatever httpd server
you're running) runs as. You shouldn't need to modify the
owner/group/permissions of any of the mailman files (or any other
files). But like I said I'm not a SuSE expert they may have done
something different, but my expectation is they replaced the configure
option --with-cgi-gid with a file read of malman-cgi-gid so its not
hardcoded into the wrapper.

> I suppose that nobody doesn't have to be part of the mailman group,
> and that's where I went off the path?

Yes, I believe that would be a mistake and you may need to go back and
undo those file changes :-(

mailman_install_dir/bin/fix_perms might be helpful, the -f option will
"fix" the files.


-- 
John Dennis <jdennis at redhat.com>




More information about the Mailman-Users mailing list