[Mailman-Users] CGI account shouldn't be part of mailman group, but...

[John Dennis]

Just to expand a bit on something I should have elaborated:

There is exactly one member of the mailman group, the user mailman. When
the MTA or web server want to perform a mailman operation it invokes
what is called a wrapper. The wrappers are group mailman and are setgid,
this means the wrapper executes as the group mailman even if the MTA or
web server invoked it. The wrapper performs a security check on the
process that invoked it to assure only permitted users have permission
to invoke the wrapper, only the MTA is allowed to invoke the mail
wrapper, only the web server is allowed to invoke the CGI wrapper.
-- 
John Dennis <jdennis at redhat.com>