[ copied to majordomo-workers for discussion of security issues raised ]
[ Elvidge Mothibi writes: ]
> I am running a mailing list (using majordomo 1.93, perl 4.036) on system V,
> and after making changes to archive files (that is, files retreivable by the
> GET command), if I try to execute the CHOWN and CHGRP commands, I get error
Some systems comply with POSIX and don't allow anyone other than root
to change the owner uid of files. Similarly, a user must be a member of
the target group or root to change the owner gid of a file.
I ran into a similar problem on SVR4 and ended up changing wrapper.c to
renounce all but POSIX_GID and mail (instead of all but POSIX_GID) so
that things run under wrapper could chgrp() to mail so that sendmail
could read the files (owned by gid mail) without allowing world access
to the file. It's a potential system security issue, but probably better
than mj *running* as gid mail or allowing world access to my mail lists.
Dave Wolfe *Not a spokesman for Motorola* (512) 891-3246
Motorola MMTG 6501 Wm. Cannon Dr. W. OE112 Austin TX 78735-8598