[Pkg-mailman-hackers] Bug#356877: mailman: private archive dir
permissions insecure
Lionel Elie Mamane
lionel at mamane.lu
Wed Mar 15 07:34:32 UTC 2006
On Tue, Mar 14, 2006 at 09:23:13AM -0600, Max Bowsher wrote:
> Mailman's postinst currently contains the following command:
> chmod o-r,o+x /var/lib/mailman/archives/private
> The effect of o+x permissions on this directory is that ANY local
> user has read access to ALL mailman mail archives, if they know or
> can guess the name of the list.
> The purpose of the o+x permissions is to allow www-data to serve up
> the public archives.
Yup.
> Perhaps a method could be found which doesn't involve granting world
> access to the archives?
We're open to suggestions. That thing must be group list so that
mailman can write there. Putting www-data as user would give www-data
too much power there. We cannot put the files themselves non world
readable, as Apache won't serve anything that isn't world-readable as
far as I remember. The same holds for putting www-data in group list.
If we could rely on file ACLs, it would be easier...
--
Lionel
More information about the Pkg-mailman-hackers
mailing list