[ mailman-Bugs-1022762 ] common.c is using getgid() instead of
getegid
SourceForge.net
noreply at sourceforge.net
Sun Sep 5 23:40:41 CEST 2004
Bugs item #1022762, was opened at 2004-09-05 17:40
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1022762&group_id=103
Category: security/privacy
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Geoff Mottram (gmottram)
Assigned to: Nobody/Anonymous (nobody)
Summary: common.c is using getgid() instead of getegid
Initial Comment:
The mailman wrapper that is used with its set group id
set is checking the real group id in src/common.c (line
121). This will only work if mailman is configured to
use the group "mail" as that is the only time the real
and effective group of mailman will match the
configuration.
Any programs run by sendmail are real user id of "mail"
and real group id of "mail".
When using the set group id or set user id flags on an
executable file, the program's real group and user
values do not change, only their effective group and
user id's.
I am running Fedora core release 1 (kernel version
2.4.22), mailman version 2.1.5 and sendmail 8.12.10
with "smrsh".
The fix is to change line 121 in src/common.c from:
mygid = getgid()
to
mygid = getegid()
With this change mailman can be installed as group
"mailman" (or any other group besides "mail") instead
of group "mail" (which is probably a security issue).
Best,
Geoff Mottram
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1022762&group_id=103
More information about the Mailman-coders
mailing list