You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A robot listmaster is able to copy a template and set scope to "site".
Version
6.2.40~dfsg-1+deb10u1
Installation method
Debian Buster package
Expected behavior
Robot listmasters should only be able to copy & edit templates in the robot and lists scope, not site scope. Only the Super listmasters should be able to change site (global) templates.
Actual behavior
A robot listmaster is able to copy a template and set scope to "site". The changes are then visible in all robots, even if they're not managed by the same robot listmaster.
Workaround
Remove write permissions to /etc/sympa/web_tt2. This will prevent robot listmaster from writing files to this directory. As the global listmaster is probably also the server admin, the server admin can write files to this directory.
The text was updated successfully, but these errors were encountered:
Thanks a lot. I did not have a test server at hand so quickly and the production server is hard to patch as it is running with the Debian Buster package.
A robot listmaster is able to copy a template and set scope to "site".
Version
6.2.40~dfsg-1+deb10u1
Installation method
Debian Buster package
Expected behavior
Robot listmasters should only be able to copy & edit templates in the robot and lists scope, not site scope. Only the Super listmasters should be able to change site (global) templates.
Actual behavior
A robot listmaster is able to copy a template and set scope to "site". The changes are then visible in all robots, even if they're not managed by the same robot listmaster.
Workaround
Remove write permissions to
/etc/sympa/web_tt2
. This will prevent robot listmaster from writing files to this directory. As the global listmaster is probably also the server admin, the server admin can write files to this directory.The text was updated successfully, but these errors were encountered: