Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 13 Jan 2001 01:49:50 -0500 (EST)
From:      Mikhail Kruk <meshko@cs.brandeis.edu>
To:        Ryan Thompson <ryan@sasknow.com>
Cc:        Kris Kennaway <kris@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: Majordomo lists security
Message-ID:  <Pine.LNX.4.30.0101130148490.27661-100000@daedalus.cs.brandeis.edu>
In-Reply-To: <Pine.BSF.4.21.0101130021480.69511-100000@ren.sasknow.com>

next in thread | previous in thread | raw e-mail | index | archive | help
That's all great, sarcasm on or off, but is there a list server which can
be run securely on a multi-user machine?
(I assume that just changing permissions on those files does not make
majordomo secure. or does it??)

> Kris Kennaway wrote to Ryan Thompson:
>
> > On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
> > >
> > > Hmm...  Maybe this has been answered before.
> > >
> > > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> > > world readable?  Does not just the "majordom" user/group ever read the
> > > files contained therein?  Until now, I've never really had cause to play
> > > with majordomo, but I was notably concerned when I saw the administrative
> > > password for each list stored clear text in a predictable world readable
> > > file/directory.  :-)
> >
> > From the makefile:
> >
> > .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
> >         /usr/bin/dialog --yesno "Majordomo is unsafe to use on
> > multi-user machines: local users can run
> >  arbitrary commands as the majordomo user. Do you wish to accept the
> > security risk and build majordomo anyway?" 8 60 || ${FALSE} .endif
> >
> > Kris
>
> <sarcasm>
>   Great!
> </sarcasm>
>
> Thanks, Kris.
>
> I did tighten the permissions on the majordomo lists directories, which
> has got to help... though user logins are disabled on the majordomo
> machine, so one avenue of attack is closed (or at least severely hampered
> :-).
>
> Can you (or someone, here) provide any suggestions or success stories
> they've had with patches or permissions and majordomo?
>
> - Ryan
>
> --
>   Ryan Thompson <ryan@sasknow.com>
>   Network Administrator, Accounts
>
>   SaskNow Technologies - http://www.sasknow.com
>   #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
>
>         Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
>   Toll-Free: 877-727-5669     (877-SASKNOW)     North America
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0101130148490.27661-100000>