From owner-freebsd-security  Fri Jan 12 22:44:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP
	id C6AB037B401; Fri, 12 Jan 2001 22:44:07 -0800 (PST)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id AAA71147;
	Sat, 13 Jan 2001 00:44:02 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Sat, 13 Jan 2001 00:44:02 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Kris Kennaway <kris@FreeBSD.ORG>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Majordomo lists security
In-Reply-To: <20010112222249.A28910@citusc.usc.edu>
Message-ID: <Pine.BSF.4.21.0101130021480.69511-100000@ren.sasknow.com>
Organization: SaskNow Technologies [www.sasknow.com]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Kris Kennaway wrote to Ryan Thompson:

> On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
> > 
> > Hmm...  Maybe this has been answered before.
> > 
> > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> > world readable?  Does not just the "majordom" user/group ever read the
> > files contained therein?  Until now, I've never really had cause to play
> > with majordomo, but I was notably concerned when I saw the administrative
> > password for each list stored clear text in a predictable world readable
> > file/directory.  :-)
> 
> From the makefile:
> 
> .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
>         /usr/bin/dialog --yesno "Majordomo is unsafe to use on
> multi-user machines: local users can run
>  arbitrary commands as the majordomo user. Do you wish to accept the
> security risk and build majordomo anyway?" 8 60 || ${FALSE} .endif
> 
> Kris

<sarcasm>
  Great!
</sarcasm>

Thanks, Kris.

I did tighten the permissions on the majordomo lists directories, which
has got to help... though user logins are disabled on the majordomo
machine, so one avenue of attack is closed (or at least severely hampered 
:-).

Can you (or someone, here) provide any suggestions or success stories
they've had with patches or permissions and majordomo?

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message