Date: Sat, 13 Jan 2001 01:49:50 -0500 (EST) From: Mikhail Kruk <meshko@cs.brandeis.edu> To: Ryan Thompson <ryan@sasknow.com> Cc: Kris Kennaway <kris@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: Majordomo lists security Message-ID: <Pine.LNX.4.30.0101130148490.27661-100000@daedalus.cs.brandeis.edu> In-Reply-To: <Pine.BSF.4.21.0101130021480.69511-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That's all great, sarcasm on or off, but is there a list server which can
be run securely on a multi-user machine?
(I assume that just changing permissions on those files does not make
majordomo secure. or does it??)
> Kris Kennaway wrote to Ryan Thompson:
>
> > On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
> > >
> > > Hmm... Maybe this has been answered before.
> > >
> > > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> > > world readable? Does not just the "majordom" user/group ever read the
> > > files contained therein? Until now, I've never really had cause to play
> > > with majordomo, but I was notably concerned when I saw the administrative
> > > password for each list stored clear text in a predictable world readable
> > > file/directory. :-)
> >
> > From the makefile:
> >
> > .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
> > /usr/bin/dialog --yesno "Majordomo is unsafe to use on
> > multi-user machines: local users can run
> > arbitrary commands as the majordomo user. Do you wish to accept the
> > security risk and build majordomo anyway?" 8 60 || ${FALSE} .endif
> >
> > Kris
>
> <sarcasm>
> Great!
> </sarcasm>
>
> Thanks, Kris.
>
> I did tighten the permissions on the majordomo lists directories, which
> has got to help... though user logins are disabled on the majordomo
> machine, so one avenue of attack is closed (or at least severely hampered
> :-).
>
> Can you (or someone, here) provide any suggestions or success stories
> they've had with patches or permissions and majordomo?
>
> - Ryan
>
> --
> Ryan Thompson <ryan@sasknow.com>
> Network Administrator, Accounts
>
> SaskNow Technologies - http://www.sasknow.com
> #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
>
> Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
> Toll-Free: 877-727-5669 (877-SASKNOW) North America
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0101130148490.27661-100000>