Syn, Joonho wrote: >I'm writing a mailman dashboard page for my company using cgi/perl but in >order to get the necessary info I'll need to give apache read access to all >the current .pck files as well as any made in the future. What are the >security implications of adding apache to the mailman group or just using sudo >in my script?
If you add apache to the mailman group, you give the web server permission to read and write any Mailman files. Thus, an invertent apache config error or an apache security issue could give the world this access via your web server. Mailman itself avoids this by invoking its CGI scripts via compiled SETGID wrappers which set the effective GID to Mailman's group and check to be sure the real GID is that of the web server. Thus the wrapper can only be executed by the web server and the web server can only access Mailman via the specific CGIs. You could create such a wrapper to give access to your script in the same way or as you suggest, use sudo in your script to gain access. Either would be preferable to adding apache to the mailman group. I would avoid sudo unless it could be done in a way that doesn't allow other scripts that might be beyond your control to also use sudo. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
