Date: Sat, 13 Jan 2001 10:17:37 -0600 (CST) From: James Wyatt <jwyatt@rwsystems.net> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: Ryan Thompson <ryan@sasknow.com>, freebsd-security@FreeBSD.ORG Subject: Re: Majordomo lists security Message-ID: <Pine.BSF.4.10.10101131002390.98425-100000@bsdie.rwsystems.net> In-Reply-To: <20010112222249.A28910@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Jan 2001, Kris Kennaway wrote:
> On Sat, Jan 13, 2001 at 12:05:10AM -0600, Ryan Thompson wrote:
> > Hmm... Maybe this has been answered before.
> >
> > Is there a GOOD reason that, by default, /usr/local/majordomo/lists is
> > world readable? Does not just the "majordom" user/group ever read the
> > files contained therein? Until now, I've never really had cause to play
[ ... ]
> From the makefile:
>
> .if !defined(BATCH) && !defined(PACKAGE_BUILDING)
> /usr/bin/dialog --yesno "Majordomo is unsafe to use on multi-user machines: local users can run
> arbitrary commands as the majordomo user. Do you wish to accept the security risk and build majordomo
> anyway?" 8 60 || ${FALSE}
> .endif
This says *nothing* about allowing (very portable) passwords to leak, just
that they can run commands. Most users would take that to mean run such
commands *locally*, not remotely. - Jy@
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10101131002390.98425-100000>