James Riendeau wrote: > >I need to run bin/add_member in our Mailman 2.1.11 list server >installation from a cgi/perl script. Normally, it has to run as >root. The easy solution was to add the www user to the mailman >group. You can then: > >open(LISTSERVER, '|/usr/local/mailman/bin/add_members -r- '.$list_name); >print LISTSERVER $email; >close(LISTSERVER); > >My question is are there any security consequences from adding the >Apache2 user to the mailman group I should be aware of.
It potentially allows the web server to access the Mailman installation without going through the CGIs. This could potentially allow retrieval of private archives and config.pck files which contain member addresses and their list passwords. Instead of doing this, you could make a compiled executable wrapper which is SETGID mailman and which calls add_members. You can also add members to a list by posting to or getting <http://www.example.com/mailman/admin/LIST/members/add> with appropriate query fragments. See, e.g., <http://mail.python.org/pipermail/mailman-users/2004-December/041214.html>. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
