From owner-freebsd-security Sat Jan 13 7:54:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 091CB37B69C for ; Sat, 13 Jan 2001 07:53:53 -0800 (PST) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id CAA29230; Sun, 14 Jan 2001 02:53:23 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 14 Jan 2001 02:53:22 +1100 (EST) From: Ian Smith To: Matt Piechota Cc: Christian Weisgerber , freebsd-security@FreeBSD.ORG Subject: Re: Majordomo lists security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 13 Jan 2001, Matt Piechota wrote: > On Sat, 13 Jan 2001, Christian Weisgerber wrote: > > > > I was notably concerned when I saw the administrative password > > > for each list stored clear text in a predictable world readable > > > file/directory. :-) > > > > You may get away with o-r on the .config files (aren't they already?), > > but the subscriber list itself must remain world-readable. The config and passwd files here came as mode 660 (or 640 - I do recall making a few things group (majordom) writable that weren't originally), as a couple of users manage lists; root still needed to create new ones. I chmod o-r a few other files too, but was slack not documenting it :( > Is this for sendmail itself? Sendmail runs as root (which isn't good, > except in this case), so it can read anything it wants, regardless of > permissions. Or am I mistaken somewhere? I was wondering about that too. If not, can't root be added to group majordom? I find it a convoluted beastie to understand, but need it. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message