[Mailman-Users] Is there a security hole in Mailman?

[Mark Sapiro]

Jim Popovitch wrote:
>
>OK, but just to be clear, those wrappers (default location is 
>/usr/local/mailman/cgi-bin) need to be accessible by the webserver.  So, 
>is it safe to assume that only cgi-bin needs world read/executable 
>permissions?  Can I "chmod -R o=" everything in /usr/local/mailman/ 
>except cgi-bin/ and mail/?


Not quite. The remaining issue is archives because public archives are
the only things that are not accessed through a wrapper. That's an
important access issue, i.e. forcing private archive access to be only
via the 'private' wrapper/script which forces authentication.

Because public archives are accessed directly by the web server via the
'pipermail' alias and the symlinks in archives/public, the
archives/private/<listname>/ directories and their subordinate archive
contents must be accessible by 'other', but the archives/private/
directory itself has permissions 02771 to prevent 'other' getting the
names of the lists by reading the directory.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan