[Pkg-mailman-hackers] Bug#450927: Bug#450927: /var/log/mailman is drwxrwsr-x should be drwxrws---
Thijs Kinkhorst
thijs at debian.org
Sat Dec 1 15:14:01 UTC 2007
severity 450927 normal
tags 450927 pending
thanks
Hi Alexander,
> By defaults mailman creates /var/log/mailman readable by everyone. But
> some private information (at least subscribers list) may go there. So it
> should be created with rwxrws--- permitions. It's not very critical, but
> I think should be fixed even in etch (may be not now, but with other
> issues if there will be any).
Thank you for the report. I agree that it would better not be publically
readable.
However, I think the impact is quite low. There are no complete subscriber
lists, just the most recent subscriptions to lists; and the eavesdropper
needs to be a local user. Local users can already often deduce information
about who receives mail to a list, e.g. by using mailq.
But indeed, I've fixed it for the next package release. I will not update
sarge/etch however.
thanks,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/attachments/20071201/bf1b8916/attachment.pgp
More information about the Pkg-mailman-hackers
mailing list