#384 SECURITY: Pipermail permissions problem

closed-wont-fix
nobody
Pipermail (108)
8
2002-04-11
2001-10-24
No

$mailman_root/archive/private is o+x in the default
installation. This allows anyone with local access to
the machine to read the archives of private mailing
lists, as long as they know the (trivial) structure of
the files beneath this directory.

I have verified that changing this directory to o-x
causes *all* pipermail pages to become inaccessible, so
that does not resolve the problem.

There presumably needs to be a setgid program involved
which can verify that the user is authenticated and
give access to the archives if appropriate; then that
directory can be made o-x.

Discussion

  • H. Peter Anvin

    H. Peter Anvin - 2001-10-24
    • priority: 5 --> 8
     
  • Barry Warsaw

    Barry Warsaw - 2002-04-11
    • status: open --> closed-wont-fix
     
  • Barry Warsaw

    Barry Warsaw - 2002-04-11

    Logged In: YES
    user_id=12800

    I'm not inclined to fix this, since this arrangement is
    crucial to the web security of private archives. Since
    Mailman is usually run on mail and/or web servers that have
    very limited access anyway, I don't consider this an
    important vulnerability.

     
  • Arne Georg Gleditsch

    Logged In: YES
    user_id=387572

    I'm not comfortable with this remaining unfixed. Is there
    any reason
    it couldn't be handled by doing

    --- Mailman/Archiver/Archiver.py 15 Feb 2002 16:28:03
    -0000 1.1
    +++ Mailman/Archiver/Archiver.py 5 Jun 2002 08:54:18
    -0000
    @@ -250,8 +250,12 @@
    self._internal_name + '.mbox')
    privmbox = self.archive_directory + '.mbox'
    if self.archive_private:
    + os.chmod(privdir, 02770)
    + os.chmod(privmbox, 02770)
    breaklink(pubdir)
    breaklink(pubmbox)
    else:
    + os.chmod(privdir, 02775)
    + os.chmod(privmbox, 02775)
    makelink(privdir, pubdir)
    makelink(privmbox, pubmbox)

    or something?

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks