FAQ
My company is running and testing Mailman to replace majordomo (finally)
in a FreeBSD environment. From the README.BSD file I see that it is
possible to io install without turning on the setgid bit on directories.
However, even with a 'make DIRSETGID=: install' a number of executable
files are installed with the setgid bit. The fact that these same files,
as well as pretty much everything else in the mailman directory, are set
to allow world read and execute makes us very nervous, especially since
this is a shared environment. Are we missing something or is this not a
recipe for anyone being able to run these commands?

I realize that most things are password protected as well and it appears
only the cgi-files are setgid, but we were toying with this idea and were
wondering how bad of an idea it is.

chmod -R go-rwxs /u/mailman
chmod 4550 /u/mailman/cgi-bin/*
chown -R mailman:webgroup /u/mailman/cgi-bin
chmod 750 /u/mailman/cgi-bin
chmod 644 /u/mailman/data/*
chmod 711 /u/mailman
chmod 711 /u/mailman/data/


We also did this, but are not sure they are necessary:

chmod 711 /u/mailman/mail
chmod 711 /u/mailman/mail/mailman

We figure we would rather have the web server running these scripts as
mailman instead of allowing anyone to execute all of these scripts.

After we made these changes in the test environment everything seems to be
functioning normal from the outside perspective.

If this is a horrible idea, why? And if this is highly discouraged, has
anyone else done anything to limit permissions further from the default
install to disallow prying eyes and curios fingers?

Thanks.

Matthew Ruzicka - Systems Administrator
Front Range Internet, Inc.
matt at frii.net - (970) 212-0728

Got SPAM? Take back your email with MailArmory. http://www.MailArmory.com

Search Discussions

  • John Dennis at Dec 14, 2004 at 5:18 pm

    On Mon, 2004-12-13 at 19:05, Matt Ruzicka wrote:
    My company is running and testing Mailman to replace majordomo (finally)
    in a FreeBSD environment. From the README.BSD file I see that it is
    possible to io install without turning on the setgid bit on directories.
    However, even with a 'make DIRSETGID=: install' a number of executable
    files are installed with the setgid bit. The fact that these same files,
    as well as pretty much everything else in the mailman directory, are set
    to allow world read and execute makes us very nervous, especially since
    this is a shared environment. Are we missing something or is this not a
    recipe for anyone being able to run these commands?

    I realize that most things are password protected as well and it appears
    only the cgi-files are setgid, but we were toying with this idea and were
    wondering how bad of an idea it is.

    chmod -R go-rwxs /u/mailman
    chmod 4550 /u/mailman/cgi-bin/*
    chown -R mailman:webgroup /u/mailman/cgi-bin
    chmod 750 /u/mailman/cgi-bin
    chmod 644 /u/mailman/data/*
    chmod 711 /u/mailman
    chmod 711 /u/mailman/data/


    We also did this, but are not sure they are necessary:

    chmod 711 /u/mailman/mail
    chmod 711 /u/mailman/mail/mailman

    We figure we would rather have the web server running these scripts as
    mailman instead of allowing anyone to execute all of these scripts.

    After we made these changes in the test environment everything seems to be
    functioning normal from the outside perspective.

    If this is a horrible idea, why? And if this is highly discouraged, has
    anyone else done anything to limit permissions further from the default
    install to disallow prying eyes and curios fingers?
    The reason why DIRSETGID is different on BSD is because of "directory
    inheritance" of the setuid and setgid bits, this is explained here:
    http://www.linuxpowered.com/html/editorials/file.html

    A few months back I went over the installation process with a fine tooth
    comb and noted some parts of the installation relied on this inheritance
    property which is system specific. I cleaned some of this up to make it
    explicit and system agnostic, although the patch was sent to the
    developers list I didn't add it to the SourceForge patch area which I
    need to do so its in the official queue.

    I doubt you will run into problems with the world execute bit set,
    Mailman's security is group based. This is the point of having those
    executables be setgid. I believe you will discover all the executables
    you are concerned about check the group (src/common.c) of the user
    executing them. If it the group is not valid (a build time option) then
    the executable exits with a fatal error, otherwise the command runs with
    an effective group id (hence the setgid bit) of mailman (or whatever it
    was defined to be a configure/build time). Thus only defined groups are
    allowed to execute the command and when it executes its only executes as
    group mailman.
    --
    John Dennis <jdennis at redhat.com>

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedDec 14, '04 at 12:05a
activeDec 14, '04 at 5:18p
posts2
users2
websitelist.org

2 users in discussion

Matt Ruzicka: 1 post John Dennis: 1 post

People

Translate

site design / logo © 2022 Grokbase