Stephen Gran wrote:
This one time, at band camp, Olivier Salaün said:
Starting with version 5.2, Sympa comes with a wrapper for wwsympa.fcgi
that make it for wwsympa.fcgi to run as the 'sympa' user using SuDo. For
compatibility reasons this is not the default Sympa setup but it could
be the default Debian setup.
Check the related documentation :
http://www.sympa.org/wiki/manual/web-interface#web_server_setup
Apache has it's own suexec method. Why can't it use that?
Debian's suexec uses /var/www as document root while the CGI scripts
are in /usr/lib/cgi-bin.
Aside from
this, sympa comes with 2 suid elf executables, which seems like a recipe
for security problems. They appear to only be necessary for queue
injection, in which case I would prefer to just run the pipe as the
sympa user and not use suid binaries. I don't know if that's possible
or not for upstream, but on Debian, where exim4 is the default MTA, it
certainly is.
Report this as separate bug please.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
