On 12/03/2014 09:34 AM, Lindsay Haisley wrote: > What are the implications for mailman, functionally, of having the web > server user, www-data as a member of the mailman group in /etc/group? I > note that I've done this for _some_ reason on a couple of installs, and > I've assumed that there were at least some security implications, but > it's never been a problem. I've done a bit of googling for this and > can't find a reference on it, so I thought I'd ask :)
The installation manual at <http://www.list.org/mailman-install/node10.html> contains the following: Warning: You want to be very sure that the user id under which your CGI scripts run is not in the mailman group you created above, otherwise private archives will be accessible to anyone. That warning pre-dates my involvement with Mailman - it was in the Mailman 1.0 INSTALL document. I've never investigated whether or exactly how one might access private archives under this circumstance, but you've been warned. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
