Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 13 Jan 2001 00:44:02 -0600 (CST)
From:      Ryan Thompson <ryan@sasknow.com>
To:        Kris Kennaway <kris@FreeBSD.ORG>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Majordomo lists security
Message-ID:  <Pine.BSF.4.21.0101130021480.69511-100000@ren.sasknow.com>
In-Reply-To: <20010112222249.A28910@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Kris Kennaway wrote to Ryan Thompson:

> On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
> > 
> > Hmm...  Maybe this has been answered before.
> > 
> > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> > world readable?  Does not just the "majordom" user/group ever read the
> > files contained therein?  Until now, I've never really had cause to play
> > with majordomo, but I was notably concerned when I saw the administrative
> > password for each list stored clear text in a predictable world readable
> > file/directory.  :-)
> 
> From the makefile:
> 
> .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
>         /usr/bin/dialog --yesno "Majordomo is unsafe to use on
> multi-user machines: local users can run
>  arbitrary commands as the majordomo user. Do you wish to accept the
> security risk and build majordomo anyway?" 8 60 || ${FALSE} .endif
> 
> Kris

<sarcasm>
  Great!
</sarcasm>

Thanks, Kris.

I did tighten the permissions on the majordomo lists directories, which
has got to help... though user logins are disabled on the majordomo
machine, so one avenue of attack is closed (or at least severely hampered 
:-).

Can you (or someone, here) provide any suggestions or success stories
they've had with patches or permissions and majordomo?

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101130021480.69511-100000>