[Mailman-Users] Is there a security hole in Mailman?
msapiro at value.net
Mon Feb 13 22:30:11 CET 2006
Jim Popovitch wrote:
>OK, but just to be clear, those wrappers (default location is
>/usr/local/mailman/cgi-bin) need to be accessible by the webserver. So,
>is it safe to assume that only cgi-bin needs world read/executable
>permissions? Can I "chmod -R o=" everything in /usr/local/mailman/
>except cgi-bin/ and mail/?
Not quite. The remaining issue is archives because public archives are
the only things that are not accessed through a wrapper. That's an
important access issue, i.e. forcing private archive access to be only
via the 'private' wrapper/script which forces authentication.
Because public archives are accessed directly by the web server via the
'pipermail' alias and the symlinks in archives/public, the
archives/private/<listname>/ directories and their subordinate archive
contents must be accessible by 'other', but the archives/private/
directory itself has permissions 02771 to prevent 'other' getting the
names of the lists by reading the directory.
Mark Sapiro <msapiro at value.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users