On Sat, Oct 5, 2019, at 7:27 AM, Stephen J. Turnbull wrote:
Jonas Meurer writes:
This is the issue. I don't know how the Debian packages do this, but I recommend having a 'mailman' user that owns everything and running commands as that user.
The Debian package uses user
list
for this. It also provides a commandmailman-wrapper
which takes care of running mailman commands as this user.
Is this wrapper a sort of alias to sudo -u list mailman
or something more than that?
It would be awesome if the upstream /usr/bin/mailman command could take care of this automatically, making the wrapper command obsolete.
What precisely is "this"? We already have the mailman command; are you suggesting it should be suid/sgid mailman/list/whatever? That's pretty obviously a vulnerability. If there are any RCEs *anywhere* on your host, your Mailman is pwned. If you know your installation is secure enough or you just don't care, fine, chmod it yourself.
If not, how do you propose upstream "take care of it?"
Steve
-- Associate Professor Division of Policy and Planning Science http://turnbull.sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnbull@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
-- thanks, Abhilash Raj (maxking)