[Mailman-Users] CGI account shouldn't be part of mailman group, but...
John Dennis
jdennis at redhat.com
Tue Jul 12 23:46:43 CEST 2005
On Tue, 2005-07-12 at 17:34 -0400, Poster wrote:
> Ok, according to the docs, if the account that runs CGI scripts is a
> member of the mailman group, then private archives can be seen by
> everyone. This is a bad thing. However, in order for apache to update
> files in the mailman paths (like locks and such), these files have to
> be writable by the CGI user. So either the CGI user is a member of the
> mailman group, or the directory is left readable, writable, and
> executable by members not of the group! Hopefully, I'm missing
> something. Any ideas?
I think you might be missing something. The account that runs CGI
scripts is *NOT* a member of the mailman group, rather the cgi wrapper
transitions to the mailman group via setgid, thus its only mailman
operations that are executing as group mailman. In addition private
mailman archives are authenticated by mailman. I don't think the problem
you're concerned about exists, unless perhaps I've misunderstood you.
You might find this FAQ helpful:
6.16. Understanding group mismatch errors - how mailman implements
security
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq06.016.htp
--
John Dennis <jdennis at redhat.com>
More information about the Mailman-Users
mailing list