On Mon, Nov 4, 2024 at 12:36 PM Gerald Vogt <vogt@spamcop.net> wrote:
On 04.11.24 09:13, Odhiambo Washington via Mailman-users wrote:
On Mon, Nov 4, 2024 at 10:34 AM Gerald Vogt <vogt@spamcop.net> wrote:
On your server it looks like this:
# ls -la /etc/mailman3 total 28 drwxr-xr-x. 2 root mailman 95 Oct 25 08:12 . drwxr-xr-x. 99 root root 8192 Oct 29 07:42 .. -rw-r--r--. 1 root mailman 266 Oct 25 07:37 gunicorn.conf -rw-r-----. 1 root mailman 92 Nov 21 2023 mailman-hyperkitty.cfg -rw-r-----. 1 root mailman 797 Sep 9 11:20 mailman.cfg -rw-r-----. 1 root mailman 3015 Oct 25 08:12 settings.py
and it works just fine.
True, but making the mailman user own the files makes life easier when you operate from the virtualenv - you do not have to exit the virtualenv to edit the files in /etc/mailman3, and then re-enter the virtualenv.
The virtualenv doesn't change the current uid. That doesn't make a difference.
You do not have to give the mailman user sudoer rights. That's the whole point about the below:
sudo mkdir /etc/mailman3 sudo chown mailman:mailman /etc/mailman3 sudo chmod 755 /etc/mailman3
Well, that essentially was my question: why does the mailman user require sudo rights?
Mark did not say that the mailman user required sudo access. Please re-read what he said.
Why does it need to be able to write or change those files/directories? Except for the convenience which isn't a reason to weaken security.
Make me understand how the security is weakened. The Mailman user account has no password so cannot login from outside. Even if it was able to login, it will still end up only accessing $home and /etc/mailman3, no?
In respect to security, i.e. separation of the service user from write access to it's core configuration files, it should not be done unless absolutely necessary.
Sorry, I didn't understand that.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]