$mailman_root/archive/private is o+x in the default
installation. This allows anyone with local access to
the machine to read the archives of private mailing
lists, as long as they know the (trivial) structure of
the files beneath this directory.
I have verified that changing this directory to o-x
causes *all* pipermail pages to become inaccessible, so
that does not resolve the problem.
There presumably needs to be a setgid program involved
which can verify that the user is authenticated and
give access to the archives if appropriate; then that
directory can be made o-x.
Log in to post a comment.