[Pkg-mailman-hackers] Bug#356877: mailman: private archive dir
permissions insecure
Max Bowsher
maxb1 at ukf.net
Tue Mar 14 15:23:13 UTC 2006
Package: mailman
Version: 2.1.7-1
Severity: important
Mailman's postinst currently contains the following command:
chmod o-r,o+x /var/lib/mailman/archives/private
The effect of o+x permissions on this directory is that ANY local user
has read access to ALL mailman mail archives, if they know or can guess
the name of the list.
This is a vunerability if any mailing lists are intended to be
confidential.
The purpose of the o+x permissions is to allow www-data to serve up the
public archives.
Perhaps a method could be found which doesn't involve granting world
access to the archives?
Max.
More information about the Pkg-mailman-hackers
mailing list