Date: Fri, 12 Jan 2001 22:22:49 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Ryan Thompson <ryan@sasknow.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Majordomo lists security Message-ID: <20010112222249.A28910@citusc.usc.edu> In-Reply-To: <Pine.BSF.4.21.0101130002390.67378-100000@ren.sasknow.com>; from ryan@sasknow.com on Sat, Jan 13, 2001 at 12:05:10AM -0600 References: <Pine.BSF.4.21.0101130002390.67378-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
>
> Hmm... Maybe this has been answered before.
>
> Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> world readable? Does not just the "majordom" user/group ever read the
> files contained therein? Until now, I've never really had cause to play
> with majordomo, but I was notably concerned when I saw the administrative
> password for each list stored clear text in a predictable world readable
> file/directory. :-)
From the makefile:
.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
/usr/bin/dialog --yesno "Majordomo is unsafe to use on multi-user machines: local users can run
arbitrary commands as the majordomo user. Do you wish to accept the security risk and build majordomo
anyway?" 8 60 || ${FALSE}
.endif
Kris
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6X/Q5Wry0BWjoQKURAu9PAKCb42qSyEXwHFtntds3DpfpnZ8RaACff5T6
O3FnzGfSRlz9Fcgh5wTLyYc=
=zlLk
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010112222249.A28910>