[Mailman-Users] mailman group membership in /etc/group

Mark Sapiro mark at msapiro.net
Wed Dec 3 19:11:11 CET 2014


On 12/03/2014 09:34 AM, Lindsay Haisley wrote:
> What are the implications for mailman, functionally, of having the web
> server user, www-data as a member of the mailman group in /etc/group?  I
> note that I've done this for _some_ reason on a couple of installs, and
> I've assumed that there were at least some security implications, but
> it's never been a problem.  I've done a bit of googling for this and
> can't find a reference on it, so I thought I'd ask :)


The installation manual at
<http://www.list.org/mailman-install/node10.html> contains the following:

Warning: You want to be very sure that the user id under which your CGI
scripts run is not in the mailman group you created above, otherwise
private archives will be accessible to anyone.

That warning pre-dates my involvement with Mailman - it was in the
Mailman 1.0 INSTALL document. I've never investigated whether or exactly
how one might access private archives under this circumstance, but
you've been warned.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list