From owner-freebsd-security Sat Jan 13 5:31: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id 4C32837B400 for ; Sat, 13 Jan 2001 05:30:50 -0800 (PST) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 14HQlX-0008NE-00; Sat, 13 Jan 2001 14:30:43 +0100 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.1/8.11.1) id f0DCV1160355 for freebsd-security@freebsd.org; Sat, 13 Jan 2001 13:31:01 +0100 (CET) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: Majordomo lists security Date: Sat, 13 Jan 2001 12:31:00 +0000 (UTC) Message-ID: <93phq4$1q24$1@kemoauc.mips.inka.de> References: Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ryan Thompson wrote: > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is > world readable? Does not just the "majordom" user/group ever read the > files contained therein? No, sendmail reads the subscriber list. It's just an :include:d alias expansion, after all. > I was notably concerned when I saw the administrative password > for each list stored clear text in a predictable world readable > file/directory. :-) You may get away with o-r on the .config files (aren't they already?), but the subscriber list itself must remain world-readable. -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message