[Mailman-Users] Is there a security hole in Mailman?

Jim Popovitch jimpop at yahoo.com
Mon Feb 13 22:08:29 CET 2006

Mark Sapiro wrote:
> Jim Popovitch wrote:
>> Side question:  If the webserver is running as a user/group that can't 
>> directly access the Mailman installation, how can Mailman web interfaces 
>> work?  Perhaps you mean something else by the above?
> The web interface accesses Mailman through setgid wrappers. See
> <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq06.016.htp>.

OK, but just to be clear, those wrappers (default location is 
/usr/local/mailman/cgi-bin) need to be accessible by the webserver.  So, 
is it safe to assume that only cgi-bin needs world read/executable 
permissions?  Can I "chmod -R o=" everything in /usr/local/mailman/ 
except cgi-bin/ and mail/?

-Jim P.

More information about the Mailman-Users mailing list