On 01/07/2003 Richard Barrett wrote: > >the mailmanctl script doesn't set groups. > >so when i run mailmanctl as root, i become list:list but still have the > >groups that root has. that's a grave security bug. > > I think not. I believe you are mistaking the meaning of the output from the > id command you are running. The group affiliations of the process do not > mean that the uid in the output has privileges of those groups. Just try > getting the code in the ArchRunner.py to modify a file owned by root with > no write privileges for other when mailmanctl has ben started by root to > see what I mean. The process will only have the privileges associated with > the uid/euid and gid/egid.
ok, i believe that, but it's still a bug. add user list (running mailman) to a group (i.e. testgroup), and try to modify a file owned by someone.testgroup with write privileges only for group (and user if you want). that's exactly why i found that bug. the user (list) that runs my external archiver (lurker) has to be in group lurker. bye mejo ps: i'm not subscribed to mailman-developers -- Efficiency and progess is ours one more Now that we have the Neutron bomb It's nice and quick and clean and gets things done Kill kill kill kill kill the poor tonight
pgp00000.pgp
Description: PGP signature
------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ This message was sent to: [EMAIL PROTECTED] Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
