On Mon, 2004-12-13 at 19:05, Matt Ruzicka wrote:
My company is running and testing Mailman to replace majordomo (finally)
in a FreeBSD environment. From the README.BSD file I see that it is
possible to io install without turning on the setgid bit on directories.
However, even with a 'make DIRSETGID=: install' a number of executable
files are installed with the setgid bit. The fact that these same files,
as well as pretty much everything else in the mailman directory, are set
to allow world read and execute makes us very nervous, especially since
this is a shared environment. Are we missing something or is this not a
recipe for anyone being able to run these commands?

I realize that most things are password protected as well and it appears
only the cgi-files are setgid, but we were toying with this idea and were
wondering how bad of an idea it is.

chmod -R go-rwxs /u/mailman
chmod 4550 /u/mailman/cgi-bin/*
chown -R mailman:webgroup /u/mailman/cgi-bin
chmod 750 /u/mailman/cgi-bin
chmod 644 /u/mailman/data/*
chmod 711 /u/mailman
chmod 711 /u/mailman/data/

We also did this, but are not sure they are necessary:

chmod 711 /u/mailman/mail
chmod 711 /u/mailman/mail/mailman

We figure we would rather have the web server running these scripts as
mailman instead of allowing anyone to execute all of these scripts.

After we made these changes in the test environment everything seems to be
functioning normal from the outside perspective.

If this is a horrible idea, why? And if this is highly discouraged, has
anyone else done anything to limit permissions further from the default
install to disallow prying eyes and curios fingers?
The reason why DIRSETGID is different on BSD is because of "directory
inheritance" of the setuid and setgid bits, this is explained here:

A few months back I went over the installation process with a fine tooth
comb and noted some parts of the installation relied on this inheritance
property which is system specific. I cleaned some of this up to make it
explicit and system agnostic, although the patch was sent to the
developers list I didn't add it to the SourceForge patch area which I
need to do so its in the official queue.

I doubt you will run into problems with the world execute bit set,
Mailman's security is group based. This is the point of having those
executables be setgid. I believe you will discover all the executables
you are concerned about check the group (src/common.c) of the user
executing them. If it the group is not valid (a build time option) then
the executable exits with a fatal error, otherwise the command runs with
an effective group id (hence the setgid bit) of mailman (or whatever it
was defined to be a configure/build time). Thus only defined groups are
allowed to execute the command and when it executes its only executes as
group mailman.
John Dennis <jdennis at redhat.com>

Search Discussions

Discussion Posts


Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 2 | next ›
Discussion Overview
groupmailman-users @
postedDec 14, '04 at 12:05a
activeDec 14, '04 at 5:18p

2 users in discussion

Matt Ruzicka: 1 post John Dennis: 1 post



site design / logo © 2022 Grokbase