From owner-freebsd-security Sat Jan 13 6:51:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.bsdonline.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 2778C37B400 for ; Sat, 13 Jan 2001 06:50:53 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.bsdonline.org (8.9.3/8.9.3) with ESMTP id JAA14577; Sat, 13 Jan 2001 09:50:40 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.bsdonline.org: piechota owned process doing -bs Date: Sat, 13 Jan 2001 09:50:40 -0500 (EST) From: Matt Piechota X-Sender: piechota@cithaeron.bsdonline.org To: Christian Weisgerber Cc: freebsd-security@FreeBSD.ORG Subject: Re: Majordomo lists security In-Reply-To: <93phq4$1q24$1@kemoauc.mips.inka.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 13 Jan 2001, Christian Weisgerber wrote: > > I was notably concerned when I saw the administrative password > > for each list stored clear text in a predictable world readable > > file/directory. :-) > > You may get away with o-r on the .config files (aren't they already?), > but the subscriber list itself must remain world-readable. Is this for sendmail itself? Sendmail runs as root (which isn't good, except in this case), so it can read anything it wants, regardless of permissions. Or am I mistaken somewhere? -- Matt Piechota http://www.emailempire.com/~piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message