Mailman

Tracker: Bugs

8 SECURITY: Pipermail permissions problem - ID: 474616

Last Update: Comment added ( argggh )

Details:

$mailman_root/archive/private is o+x in the default
installation. This allows anyone with local access to
the machine to read the archives of private mailing
lists, as long as they know the (trivial) structure of
the files beneath this directory.

I have verified that changing this directory to o-x
causes *all* pipermail pages to become inaccessible, so
that does not resolve the problem.

There presumably needs to be a setgid program involved
which can verify that the user is authenticated and
give access to the archives if appropriate; then that
directory can be made o-x.

Submitted:

H. Peter Anvin ( hpa ) - 2001-10-24 20:35

Priority:

Status:

Closed

Resolution:

Wont Fix

Assigned:

Nobody/Anonymous

Category:

Pipermail

Group:

None

Visibility:

Public

Comments ( 2 )

Date: 2002-06-05 09:00 Sender: argggh Logged In: YES user_id=387572 I'm not comfortable with this remaining unfixed. Is there any reason it couldn't be handled by doing --- Mailman/Archiver/Archiver.py 15 Feb 2002 16:28:03 -0000 1.1 +++ Mailman/Archiver/Archiver.py 5 Jun 2002 08:54:18 -0000 @@ -250,8 +250,12 @@ self._internal_name + '.mbox') privmbox = self.archive_directory + '.mbox' if self.archive_private: + os.chmod(privdir, 02770) + os.chmod(privmbox, 02770) breaklink(pubdir) breaklink(pubmbox) else: + os.chmod(privdir, 02775) + os.chmod(privmbox, 02775) makelink(privdir, pubdir) makelink(privmbox, pubmbox) or something?
Date: 2002-04-11 22:40 Sender: bwarsaw Logged In: YES user_id=12800 I'm not inclined to fix this, since this arrangement is crucial to the web security of private archives. Since Mailman is usually run on mail and/or web servers that have very limited access anyway, I don't consider this an important vulnerability.

Date: 2002-06-05 09:00
Sender: argggh

Logged In: YES
user_id=387572

I'm not comfortable with this remaining unfixed. Is there
any reason
it couldn't be handled by doing

--- Mailman/Archiver/Archiver.py 15 Feb 2002 16:28:03
-0000 1.1
+++ Mailman/Archiver/Archiver.py 5 Jun 2002 08:54:18
-0000
@@ -250,8 +250,12 @@
self._internal_name + '.mbox')
privmbox = self.archive_directory + '.mbox'
if self.archive_private:
+ os.chmod(privdir, 02770)
+ os.chmod(privmbox, 02770)
breaklink(pubdir)
breaklink(pubmbox)
else:
+ os.chmod(privdir, 02775)
+ os.chmod(privmbox, 02775)
makelink(privdir, pubdir)
makelink(privmbox, pubmbox)

or something?

Date: 2002-04-11 22:40
Sender: bwarsaw

Logged In: YES
user_id=12800

I'm not inclined to fix this, since this arrangement is
crucial to the web security of private archives. Since
Mailman is usually run on mail and/or web servers that have
very limited access anyway, I don't consider this an
important vulnerability.

Attached File

Changes ( 4 )

Field	Old Value	Date	By
status_id	Open	2002-04-11 22:40	bwarsaw
resolution_id	None	2002-04-11 22:40	bwarsaw
close_date	-	2002-04-11 22:40	bwarsaw
priority	5	2001-10-24 20:37	hpa

Mailman

Tracker: Bugs

Comments ( 2 )

Attached File

No Files Currently Attached

Changes ( 4 )

About SourceForge

Find Software

Develop Software

Community

Help