mailing list archives
Re: Insecure default permissions for MailMan Professional Edition,
From: christopher () SCHULTE ORG (Christopher Schulte)
Date: Fri, 3 Dec 1999 14:58:37 -0600
It should be quite possible to wrap the mailman cgi processes
to its own UID on the web server. CGI scripts do not have
to have the power and access of 'nobody' these days.
Indeed, mailman is NOT designed to be a complete secure email
system. Of this I am in total agreement. That does not,
however, mean that using Mailman is an immediate security
risk. There are usually many ways to secure a program.
Just because the DOCS do not tell you, does not mean you
should give up and either move to another product or
accept the risks.
Security is the responsibility of both the developer
and end user, imho. To trust one or the other with
absoluteness is a problem. Know the code you produce.
Know the code you use. If you don't know how to
audit code, then at least understand that there are other
ways of minimizing possible problems via many other
methods. Learn to identify, implement, and evaluate the
effectiveness of your security measures.
Then shoot for world peace. :-P
On Thu, Dec 02, 1999 at 02:41:08PM +0000, Terry wrote:
MailMan was intended as a comfort feature for users, an add-on per say. The
extra ability to check email anywhere instead of having to logon to the
system. It should not be used for absolute secure email use. If you use
MailMan and your users have the ability to make and use cgi-scripts, then it
will not matter what permissions you use. MailMan runs on your web-server and
thusly it runs as 'nobody' or whatever name you have given the web-server.
Also, your user's cgi's run as 'nobody' on the web server. So, if a user
creates a cgi that can access files and directories as nobody via the web, then
they can also access all the files that MailMan creates.
So you see, Mailman is absolutely not your solution if you want the most secure
email system. Yes changing the perms to 0600 and 0700 helps deter; however, it
does not protect absolutely from within the system.
If you wish a copy of a cgi script that I downloaded from the open web, that
does execute commands as 'nobody', just email me at the above address.
I am Chris. Hi.
<!--#include mail="christopher () schulte org" -->
<!--#include name="Christopher Schulte" -->
<!--#include site="www.schulte.org" -->