From owner-freebsd-security Fri Jan 12 22:50:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 1D69C37B400; Fri, 12 Jan 2001 22:49:54 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id BAA27903; Sat, 13 Jan 2001 01:49:50 -0500 Date: Sat, 13 Jan 2001 01:49:50 -0500 (EST) From: Mikhail Kruk To: Ryan Thompson Cc: Kris Kennaway , Subject: Re: Majordomo lists security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's all great, sarcasm on or off, but is there a list server which can be run securely on a multi-user machine? (I assume that just changing permissions on those files does not make majordomo secure. or does it??) > Kris Kennaway wrote to Ryan Thompson: > > > On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote: > > > > > > Hmm... Maybe this has been answered before. > > > > > > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is > > > world readable? Does not just the "majordom" user/group ever read the > > > files contained therein? Until now, I've never really had cause to play > > > with majordomo, but I was notably concerned when I saw the administrative > > > password for each list stored clear text in a predictable world readable > > > file/directory. :-) > > > > From the makefile: > > > > .if !defined(BATCH) && !defined(PACKAGE_BUILDING) > > /usr/bin/dialog --yesno "Majordomo is unsafe to use on > > multi-user machines: local users can run > > arbitrary commands as the majordomo user. Do you wish to accept the > > security risk and build majordomo anyway?" 8 60 || ${FALSE} .endif > > > > Kris > > > Great! > > > Thanks, Kris. > > I did tighten the permissions on the majordomo lists directories, which > has got to help... though user logins are disabled on the majordomo > machine, so one avenue of attack is closed (or at least severely hampered > :-). > > Can you (or someone, here) provide any suggestions or success stories > they've had with patches or permissions and majordomo? > > - Ryan > > -- > Ryan Thompson > Network Administrator, Accounts > > SaskNow Technologies - http://www.sasknow.com > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 > > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon > Toll-Free: 877-727-5669 (877-SASKNOW) North America > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message