---

Home Infrastructure

FreeBSD Ports Security Advisory: FreeBSD-SA-00:28.majordomo

By

Date: Wed, 5 Jul 2000 16:08:22 -0700
From: FreeBSD Security Advisories security-advisories@freebsd.org

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Ports Security Advisory:
FreeBSD-SA-00:28.majordomo

-----BEGIN PGP SIGNED MESSAGE-----


FreeBSD-SA-00:28                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          majordomo is not safe to run on multi-user machines

Category:       ports
Module:         majordomo
Announced:      2000-07-05
Affects:        Ports collection.
Corrected:      See below
Vendor status:  Problem documented
FreeBSD only:   NO

I. Background

Majordomo is a popular mailing-list manager.

II. Problem Description

Majordomo contains a number of perl scripts which are executed
by a setuid wrapper for providing mailing-list management
functionality. However there are numerous weaknesses in these
scripts which allow unprivileged users to run arbitrary commands as
the majordomo user, as well as obtaining read and write access to
the mailing list data.

The majordomo port is not installed by default, nor is it “part
of FreeBSD” as such: it is part of the FreeBSD ports collection,
which contains over 3400 third-party applications in a
ready-to-install format.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Unprivileged local users can run commands as the ‘majordomo’
user, including accessing and modifying mailing-list subscription
data.

If you have not chosen to install the majordomo port/package,
then your system is not vulnerable to this problem.

IV. Workaround

Deinstall the majordomo port/package, if you you have installed
it, or limit the permissions of the majordomo/ directory and/or its
contents appropriately (see below).

V. Solution

Since the vendor has chosen not to fix the various security
holes in the default installation of majordomo, there is no simple
solution. It may be possible to adequately secure the majordomo
installation while retaining required functionality, by tightening
the permissions on the /usr/local/majordomo directory and/or its
contents, but these actions are not taken by the FreeBSD port and
are beyond the scope of this advisory.

Instead we recommend that majordomo not be used on a system
which contains untrusted users, or an alternative mailing-list
manager be used. There are several such utilities in the FreeBSD
ports collection.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWGsGFUuHi5z0oilAQFUtgP9Gwb/h0AFJB8RH9LkE3zlmaTfePGGnIgk
/SBux8RBiwPnEw4M25mZt26eV6Bd/MIdN8Gnb7q551TD8nrZu0N6//vi5w8uM5/l
itRXtnE4FfqERWOTOt25b8N0kCtqESqGMPMyA1m1x+7wFHpq1B69gsQl8MbohUr5
NlLkkEu6AQI=
=EkWc
-----END PGP SIGNATURE-----

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.