[Pkg-mailman-hackers] Bug#603904: Bug#603904: Bug#603904: Fresh installation of mailman has wrong permissions, causes archiving to fail
Thijs Kinkhorst
thijs at debian.org
Sun Jul 22 11:08:58 UTC 2012
On Wed, July 18, 2012 14:09, Thorsten Glaser wrote:
>> This means that any (php/perl/python) script running with the webserver
>> privileges can potentially read/write to /var/lib/mailman/data .
>
> Hrm. So does the other way: mailman can read/write apache's stuff.
> It may not be quite that big an attack surface, but... *shrug*
>
> I think fix_perms -f should be run in postinst, once. And if we
> want to adopt your way round, fix_perms must be fixed... gah.
Well, I don't think we must run check_perms -f at all, we need to install
things in the way we think the permissions are correct, not run some
script later to change them.
Indeed this entire bug stems from the conflict that there is between the
need of Mailman to write to that directory (as list), and for Mailman (as
www-data) to be able to read it.
In any case it will be necessary for the www-data user to gain permission
to read the archives. Afterall, there's no other way to make private
archives work. The concept that on a shared host with Apache using
www-data different apps can read eachother's data must be considered known
to the admin - this goes for any web app you install in such a scenario.
Cheers,
Thijs
More information about the Pkg-mailman-hackers
mailing list