[12848] in bugtraq
Re: Insecure default permissions for MailMan Professional Edition,
daemon@ATHENA.MIT.EDU (Christopher Schulte)
Fri Dec 3 20:13:33 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991203145837.A10887@schulte.org>
Date: Fri, 3 Dec 1999 14:58:37 -0600
Reply-To: Christopher Schulte <christopher@SCHULTE.ORG>
From: Christopher Schulte <christopher@SCHULTE.ORG>
X-To: Terry <bader@CS.ODU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199912021941.OAA11262@ocelot.cs.odu.edu>
Terry,
It should be quite possible to wrap the mailman cgi processes
to its own UID on the web server. CGI scripts do not have
to have the power and access of 'nobody' these days.
Indeed, mailman is NOT designed to be a complete secure email
system. Of this I am in total agreement. That does not,
however, mean that using Mailman is an immediate security
risk. There are usually many ways to secure a program.
Just because the DOCS do not tell you, does not mean you
should give up and either move to another product or
accept the risks.
Security is the responsibility of both the developer
and end user, imho. To trust one or the other with
absoluteness is a problem. Know the code you produce.
Know the code you use. If you don't know how to
audit code, then at least understand that there are other
ways of minimizing possible problems via many other
methods. Learn to identify, implement, and evaluate the
effectiveness of your security measures.
Then shoot for world peace. :-P
On Thu, Dec 02, 1999 at 02:41:08PM +0000, Terry wrote:
> jared,
>
> MailMan was intended as a comfort feature for users, an add-on per say. The
> extra ability to check email anywhere instead of having to logon to the
> system. It should not be used for absolute secure email use. If you use
> MailMan and your users have the ability to make and use cgi-scripts, then it
> will not matter what permissions you use. MailMan runs on your web-server and
> thusly it runs as 'nobody' or whatever name you have given the web-server.
> Also, your user's cgi's run as 'nobody' on the web server. So, if a user
> creates a cgi that can access files and directories as nobody via the web, then
> they can also access all the files that MailMan creates.
> So you see, Mailman is absolutely not your solution if you want the most secure
> email system. Yes changing the perms to 0600 and 0700 helps deter; however, it
> does not protect absolutely from within the system.
> If you wish a copy of a cgi script that I downloaded from the open web, that
> does execute commands as 'nobody', just email me at the above address.
--
I am Chris. Hi.
<!--#include mail="christopher@schulte.org" -->
<!--#include name="Christopher Schulte" -->
<!--#include site="www.schulte.org" -->
