diff options
| author | bwarsaw | 1999-11-24 23:05:00 +0000 |
|---|---|---|
| committer | bwarsaw | 1999-11-24 23:05:00 +0000 |
| commit | 5cf5ff4e55b031df19cec2dbadf17301eedca793 (patch) | |
| tree | 5c130ff4b7deb46342aabb1993dcbb10b96fb125 | |
| parent | 373903d4d681b013929715f8767aa3b963be6911 (diff) | |
| download | mailman-5cf5ff4e55b031df19cec2dbadf17301eedca793.tar.gz mailman-5cf5ff4e55b031df19cec2dbadf17301eedca793.tar.zst mailman-5cf5ff4e55b031df19cec2dbadf17301eedca793.zip | |
checkarchivedbs(): New permissions test which makes sure that
archives/private/<listname>/database is other 000.
| -rwxr-xr-x | bin/check_perms | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/bin/check_perms b/bin/check_perms index e1b8908f2..db321f1a1 100755 --- a/bin/check_perms +++ b/bin/check_perms @@ -104,6 +104,26 @@ def checkarchives(): print +def checkarchivedbs(): + # The archives/private/listname/database file must not be other readable + # or executable otherwise those files will be accessible when the archives + # are public. That may not be a horrible breach, but let's close this off + # anyway. + for dir in os.listdir(mm_cfg.PRIVATE_ARCHIVE_FILE_DIR): + if dir[-5:] == '.mbox': + continue + dbdir = os.path.join(mm_cfg.PRIVATE_ARCHIVE_FILE_DIR, dir, 'database') + mode = statmode(dbdir) + if mode & S_IRWXO: + STATE.ERRORS = STATE.ERRORS + 1 + print dbdir, 'must be other 000' + if STATE.FIX: + print '(fixing)' + os.chmod(dbdir, mode & ~S_IRWXO) + else: + print + + def checkcgi(): exes = os.listdir(mm_cfg.CGI_DIR) for f in exes: @@ -177,6 +197,7 @@ if __name__ == '__main__': checkall() checkarchives() + checkarchivedbs() checkcgi() checkmail() checkadminpw() |