[Mailman-Users] Security consequences of adding www user to mailmangroup
Mark Sapiro
mark at msapiro.net
Fri Dec 19 18:06:42 CET 2008
James Riendeau wrote:
>
>I need to run bin/add_member in our Mailman 2.1.11 list server
>installation from a cgi/perl script. Normally, it has to run as
>root. The easy solution was to add the www user to the mailman
>group. You can then:
>
>open(LISTSERVER, '|/usr/local/mailman/bin/add_members -r- '.$list_name);
>print LISTSERVER $email;
>close(LISTSERVER);
>
>My question is are there any security consequences from adding the
>Apache2 user to the mailman group I should be aware of.
It potentially allows the web server to access the Mailman installation
without going through the CGIs. This could potentially allow retrieval
of private archives and config.pck files which contain member
addresses and their list passwords.
Instead of doing this, you could make a compiled executable wrapper
which is SETGID mailman and which calls add_members.
You can also add members to a list by posting to or getting
<http://www.example.com/mailman/admin/LIST/members/add> with
appropriate query fragments. See, e.g.,
<http://mail.python.org/pipermail/mailman-users/2004-December/041214.html>.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list