[Pkg-mailman-hackers] Bug#356877: mailman: private archive dir
permissions insecure
Roger Lynn
Roger at rilynn.demon.co.uk
Wed Mar 15 11:05:34 UTC 2006
On 15/03/2006 07:34, Lionel Elie Mamane wrote:
> We're open to suggestions. That thing must be group list so that
> mailman can write there. Putting www-data as user would give www-data
> too much power there. We cannot put the files themselves non world
> readable, as Apache won't serve anything that isn't world-readable as
> far as I remember. The same holds for putting www-data in group list.
Could the world read and execute permissions be set on a per list basis?
So the world read and execute permissions would be added to the
archives/private/list/ and archives/private/list.mbox/ directories when a
list's archives are made public and removed when they are made private, at
the same time as the archives/public/list links are created and removed.
Does anything other than the web server rely on world permissions to access
these files?
The appropriate place to do this would appear to be in CheckHTMLArchiveDir
at the end of Mailman/Archiver/Archiver.py
Roger
More information about the Pkg-mailman-hackers
mailing list