[Mailman-Users] Is there a security hole in Mailman?
Jim Popovitch
jimpop at yahoo.com
Mon Feb 13 22:08:29 CET 2006
Mark Sapiro wrote:
> Jim Popovitch wrote:
>> Side question: If the webserver is running as a user/group that can't
>> directly access the Mailman installation, how can Mailman web interfaces
>> work? Perhaps you mean something else by the above?
>
>
> The web interface accesses Mailman through setgid wrappers. See
> <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq06.016.htp>.
OK, but just to be clear, those wrappers (default location is
/usr/local/mailman/cgi-bin) need to be accessible by the webserver. So,
is it safe to assume that only cgi-bin needs world read/executable
permissions? Can I "chmod -R o=" everything in /usr/local/mailman/
except cgi-bin/ and mail/?
-Jim P.
More information about the Mailman-Users
mailing list