[Pkg-mailman-hackers] Bug#603904: Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail
Thorsten Glaser
t.glaser at tarent.de
Wed Jul 18 12:09:23 UTC 2012
On Wed, 18 Jul 2012, Luca Gibelli wrote:
> If you run fix_perms -f as you suggested, the dir is chgrp'ed to "list"
> and then indeed you need to add the user "www-data" to the group "list"
> to make the private archive work.
Hum yes, but that’s how upstream does it.
> This means that any (php/perl/python) script running with the webserver
> privileges can potentially read/write to /var/lib/mailman/data .
Hrm. So does the other way: mailman can read/write apache’s stuff.
It may not be quite that big an attack surface, but… *shrug*
I think fix_perms -f should be run in postinst, once. And if we
want to adopt your way round, fix_perms must be fixed… gah.
Thijs, any idea?
Thanks,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke
More information about the Pkg-mailman-hackers
mailing list