Date: Sat, 13 Jan 2001 01:09:28 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Mikhail Kruk <meshko@cs.brandeis.edu> Cc: freebsd-security@freebsd.org Subject: Re: Majordomo lists security Message-ID: <Pine.BSF.4.21.0101130107140.69511-100000@ren.sasknow.com> In-Reply-To: <Pine.LNX.4.30.0101130148490.27661-100000@daedalus.cs.brandeis.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail Kruk wrote to Ryan Thompson:
> That's all great, sarcasm on or off, but is there a list server which
> can be run securely on a multi-user machine? (I assume that just
> changing permissions on those files does not make majordomo secure. or
> does it??)
There ARE several more list managers in the ports collection, but, for
several administrative reasons, it would be nice for me (and others, too,
I'm sure) to stick with majordomo. No one has told me how insecure the
others are, either ;-)
Changing permissions would (help to) prevent normal users from reading the
majordomo list configurations, passwords, and members.
- Ryan
> > Kris Kennaway wrote to Ryan Thompson:
> >
> > > On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
> > > >
> > > > Hmm... Maybe this has been answered before.
> > > >
> > > > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> > > > world readable? Does not just the "majordom" user/group ever read the
> > > > files contained therein? Until now, I've never really had cause to play
> > > > with majordomo, but I was notably concerned when I saw the administrative
> > > > password for each list stored clear text in a predictable world readable
> > > > file/directory. :-)
> > >
> > > From the makefile:
> > >
> > > .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
> > > /usr/bin/dialog --yesno "Majordomo is unsafe to use on
> > > multi-user machines: local users can run
> > > arbitrary commands as the majordomo user. Do you wish to accept the
> > > security risk and build majordomo anyway?" 8 60 || ${FALSE} .endif
> > >
> > > Kris
> >
> > <sarcasm>
> > Great!
> > </sarcasm>
> >
> > Thanks, Kris.
> >
> > I did tighten the permissions on the majordomo lists directories, which
> > has got to help... though user logins are disabled on the majordomo
> > machine, so one avenue of attack is closed (or at least severely hampered
> > :-).
> >
> > Can you (or someone, here) provide any suggestions or success stories
> > they've had with patches or permissions and majordomo?
> >
> > - Ryan
> >
> > --
> > Ryan Thompson <ryan@sasknow.com>
> > Network Administrator, Accounts
> >
> > SaskNow Technologies - http://www.sasknow.com
> > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
> >
> > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
> > Toll-Free: 877-727-5669 (877-SASKNOW) North America
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
--
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
SaskNow Technologies - http://www.sasknow.com
#106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101130107140.69511-100000>