|
Majordomo Local -C Parameter Vulnerability
Solution: A temporary solution is to chmod o-x the majordomo binary. This will prevent users who are not in group majordomo from executing it. It is easily possible to remove 'all' interactive access to all the pieces of the majordomo software, even if you are using smrsh, without modifying the majordomo software itself. * set the group id in majordomo's makefile to group 'mail' (assuming you're the same as RedHat and mail is delivered as mail.mail on your o/s - check it with a script that runs 'id') * remove world r-x on majordomo's home dir and its contents * remove world r-x on the list dir and its contents * still have the symbolic link to wrapper for smrsh to work if you have that installed with your sendmail Great Circle Associates Majordomo 1.94.5
|
|
|
Privacy Statement |
