[Mailman-Users] Permissions problem accessing commands via php

[Mark Sapiro]

Dave B wrote:

>I am guessing that this is a bad idea but I want to ask anyway. PHP 
>runs as the Apache user which is www. I have added www to the mailman 
>group and this works. I have since removed it but wanted to see whether 
>that created too much of a security risk?

It allows apache to access Mailman files without going through the
Mailman cgi-bin wrappers. Of course, by making permissions = 664 on
config.pck, you allow even greater access to those files.

The problem is that if someone can craft a URL or XSS attack or ? to
retrieve a config.pck file directly, they can get the membership list
and the plain text member passwords. Also, they can do something
similar to get private archive files.

A perhaps better way to do this since you said in the OP that you are
the only one with shell access to the server, is to make the bin/
scripts you want to use group mailman and SETGID. Then they should
work no matter how they are run.

The best way is to do as John Dennis suggested and create a SETGID
wrapper to be executed by your PHP scripts. The wrapper would check to
insure it was properly invoked before calling the appropriate bin/*
script.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan