Date: Sun, 14 Jan 2001 02:53:22 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Matt Piechota <piechota@argolis.org> Cc: Christian Weisgerber <naddy@mips.inka.de>, freebsd-security@FreeBSD.ORG Subject: Re: Majordomo lists security Message-ID: <Pine.BSF.3.96.1010114023755.28779A-100000@gaia.nimnet.asn.au> In-Reply-To: <Pine.BSF.4.21.0101130948060.14541-100000@cithaeron.bsdonline.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 13 Jan 2001, Matt Piechota wrote: > On Sat, 13 Jan 2001, Christian Weisgerber wrote: > > > > I was notably concerned when I saw the administrative password > > > for each list stored clear text in a predictable world readable > > > file/directory. :-) > > > > You may get away with o-r on the .config files (aren't they already?), > > but the subscriber list itself must remain world-readable. The config and passwd files here came as mode 660 (or 640 - I do recall making a few things group (majordom) writable that weren't originally), as a couple of users manage lists; root still needed to create new ones. I chmod o-r a few other files too, but was slack not documenting it :( > Is this for sendmail itself? Sendmail runs as root (which isn't good, > except in this case), so it can read anything it wants, regardless of > permissions. Or am I mistaken somewhere? I was wondering about that too. If not, can't root be added to group majordom? I find it a convoluted beastie to understand, but need it. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1010114023755.28779A-100000>