[Mailman-Users] Security consequences of adding www user to mailmangroup

Mark Sapiro mark at msapiro.net
Fri Dec 19 18:06:42 CET 2008

James Riendeau wrote:
>I need to run bin/add_member in our Mailman 2.1.11 list server  
>installation from a cgi/perl script.  Normally, it has to run as  
>root.   The easy solution was to add the www user to the mailman  
>group.  You can then:
>open(LISTSERVER, '|/usr/local/mailman/bin/add_members -r- '.$list_name);
>print LISTSERVER $email;
>My question is are there any security consequences from adding the  
>Apache2 user to the mailman group I should be aware of.

It potentially allows the web server to access the Mailman installation
without going through the CGIs. This could potentially allow retrieval
of private archives and config.pck files which contain member
addresses and their list passwords.

Instead of doing this, you could make a compiled executable wrapper
which is SETGID mailman and which calls add_members.

You can also add members to a list by posting to or getting
<http://www.example.com/mailman/admin/LIST/members/add> with
appropriate query fragments. See, e.g.,

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list