Subject: The mailing list for listmasters using Sympa
List archive
- From: Olivier Salaün - CRU <address@concealed>
- To: Peter Farmer <address@concealed>
- Cc: address@concealed
- Subject: Re: [sympa-users] newaliases
- Date: Thu, 03 Aug 2006 14:11:06 +0200
Aparently the aliases and aliases files don't need to be owned by root. Only the directory were they live need to be owned by root. Therefore the standard Sympa location for the sympa_aliases file is fine, ie /etc/mail/.
Note that there are still some requirements regarding the right on both sympa_aliases and sympa_aliases.db files ; we've got to document these one day.
All this is based on our experience with sendmail 8.13.6
Peter Farmer wrote:
This is a common sendmail security issue - I found out the hard way a long
time ago 8-).
The aliases file and its database files (generated by newaliases) must be
owned by root and writable only by root AND they must live in a directory,
every path component of which is owned by and writable only by root.
If database files are are not protected this way, attackers can create private aliases files and then run 'sendmail -oA./aliases -bi' to create a bogus database that can be copied over (or delete and replace) the original.
- Re: [sympa-users] newaliases, Olivier Salaün - CRU, 08/03/2006
Archive powered by MHonArc 2.6.19+.