Date: Fri, 11 Dec 1998 09:53:23 -0600 (CST) From: Mike Jenkins <mjenkins@carp.gbr.epa.gov> To: freebsd-net@FreeBSD.ORG Subject: Re: majordomo Message-ID: <199812111553.JAA27969@carp.gbr.epa.gov> In-Reply-To: <13936.38339.37056.442305@avalon.east>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 10, Tony Kimball <alk@pobox.com> wrote: > Well, yes. That's what group permissions are *for*, to allow > the members of a given group to administer those parts of the system > for which they are responsible. Sendmail and ppp are painfully, > woefully ignorant of the meaning and value of group bits. It is a security thing. Sendmail changes it uid/gid to those of the mailing list file when delivering (for root owned mailing list files it changes it uid/gid to option DefaultUser in sendmail.cf). If the directory is group writeable anyone in the group can change the mailing list files including ones they are not supposed to. They can add a program delivery like '| /tmp/create-suid-sh.sh' which is a simple shell script to create a suid shell of the owner of the mailing list file. This is all spelled out in the Security chapter of the Sendmail book (even the 1993 First Edition that I have). I ran into this recently when I had a file delivery in a mailing list file. The file (/home/archives/somelist) had to be owned by the owner of the mailing list file or in the same group as the mailing list file and had to be writeable by the owner or group. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812111553.JAA27969>