[Mailman-Users] [bug in mm2.1] mailmanctl doesn't set groups.

[Richard Barrett]

At 13:24 01/07/2003, Jonas Meurer wrote:
>*** PGP Signature Status: unknown
>*** Signer: Unknown, Key ID xE25F2102
>*** Signed: 01/07/2003 13:24:59
>*** Verified: 01/07/2003 15:13:06
>*** BEGIN PGP VERIFIED MESSAGE ***
>
>
>hello,
>the mailmanctl script doesn't set groups.
>so when i run mailmanctl as root, i become list:list but still have the
>groups that root has. that's a grave security bug.

I think not. I believe you are mistaking the meaning of the output from the 
id command you are running. The group affiliations of the process do not 
mean that the uid in the output  has privileges of those groups. Just try 
getting the code in the ArchRunner.py to modify a file owned by root with 
no write privileges for other when mailmanctl has ben started by root to 
see what I mean. The process will only have the privileges associated with 
the uid/euid and gid/egid.


>a possible (and working) patch is attached.
>
>
>bye
>  mejo
>
>ps: since the bug-reporting system at sourceforge doesn't work atm, i
>report the bug to the two mailman lists.
>
>--
>Efficiency and progess is ours one more
>Now that we have the Neutron bomb
>It's nice and quick and clean and gets things done
>Kill kill kill kill kill the poor tonight
>
>
>  mailmanctl.patch
>
>
>
>*** END PGP VERIFIED MESSAGE ***
> >,
>         <mailto:mailman-users-request at python.org?subject=unsubscribe>
>List-Archive: <http://mail.python.org/pipermail/mailman-users>
>List-Post: <mailto:mailman-users at python.org>
>List-Help: <mailto:mailman-users-request at python.org?subject=help>
>List-Subscribe: <http://mail.python.org/mailman/listinfo/mailman-users>,
>         <mailto:mailman-users-request at python.org?subject=subscribe>
>Sender: mailman-users-bounces+r.barrett=openinfo.co.uk at python.org

------------------------------------------------------------------------------
Richard Barrett                                      http://www.openinfo.co.uk