On 2/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > The mailman installation manual seems to imply that the mailman > account should be added with no ability to log in to it. I translated > what appeared to me to be the sense of the line given to Solaris. As with most daemon accounts..
> However, after having gone through several fire drills of resetting > file owner from root to mailman, I've set the account up with the > directory /usr/local/mailman and "NP" in the /etc/shadow file. > This allows me to su - mailman from root, but not to get a login > from anywhere else. This is the same setup as is used for other > Solaris "blind" accounts. I don't see any reason that this would cause alarm. For caveat, see below... > Is there any real reason not to use the account this way? I'm aware > that Mailman security is based on group identity, not user, but > external programs such as htdig running under cron need to have > uid mailman in files it writes to or to be set up as a mailman-uid > program. My personal preference is to set the needed uid's in the > mailman runtime tree. The main concern with this type of setup is that someone might be able to exploit a vulnerability in mailman or htdig or whatever to obtain a login shell for the users they run as. If that login shell is /bin/false, well, they can just do whatever they want (i.e., nothing at all) with that. If it's bash, well- that's another story altogether. Please note: The mailman user shouldn't *need* a valid shell for programs to be running with its privileges. If there's not a reason you need to login (either via su or something else), you're probably better off giving mailman an invalid shell. -- - Patrick Bogen ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
