From owner-freebsd-security  Fri Jan 12 22:21:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123])
	by hub.freebsd.org (Postfix) with ESMTP id CAE0837B402
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 Jan 2001 22:21:32 -0800 (PST)
Received: (from kris@localhost)
	by citusc.usc.edu (8.9.3/8.9.3) id WAA28920;
	Fri, 12 Jan 2001 22:22:49 -0800
Date: Fri, 12 Jan 2001 22:22:49 -0800
From: Kris Kennaway <kris@FreeBSD.ORG>
To: Ryan Thompson <ryan@sasknow.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Majordomo lists security
Message-ID: <20010112222249.A28910@citusc.usc.edu>
References: <Pine.BSF.4.21.0101130002390.67378-100000@ren.sasknow.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy"
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <Pine.BSF.4.21.0101130002390.67378-100000@ren.sasknow.com>; from ryan@sasknow.com on Sat, Jan 13, 2001 at 12:05:10AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
>=20
> Hmm...  Maybe this has been answered before.
>=20
> Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> world readable?  Does not just the "majordom" user/group ever read the
> files contained therein?  Until now, I've never really had cause to play
> with majordomo, but I was notably concerned when I saw the administrative
> password for each list stored clear text in a predictable world readable
> file/directory.  :-)

=46rom the makefile:

=2Eif !defined(BATCH) && !defined(PACKAGE_BUILDING)
        /usr/bin/dialog --yesno "Majordomo is unsafe to use on multi-user m=
achines: local users can run
 arbitrary commands as the majordomo user. Do you wish to accept the securi=
ty risk and build majordomo
anyway?" 8 60 || ${FALSE}
=2Eendif

Kris

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6X/Q5Wry0BWjoQKURAu9PAKCb42qSyEXwHFtntds3DpfpnZ8RaACff5T6
O3FnzGfSRlz9Fcgh5wTLyYc=
=zlLk
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message