Hi,

On UNIX platforms, when LISTSERV is started, the go script redirects
it's output into a listserv.log file.  However because there is
neither an umask 600 command nor a touch listserv.log; chmod 600
sequence in it, the file is generally world readable.  This leads to
local users being able to spy passwords when someone sends a password
protected command.  signup.fileX is also created world readable so
they can have all passwords at once.  In contrast, the memo files as
shipped are only readable by listserv and it's group, and some of
them further have the +x bit set.

I'd recommend the developers to touch; chmod 600 the log file before
it is being redirected to in the shipped script, further to create
signup files with 0600 (man open on your unix box) and to ease memo
permissions resp. remove those strange +x bits in the standard
distribution. Or have I missed something in the documentation and all
those permissions are required to be set the way they are by default?

BTW, when I recently studied the LISTSERV classic trial version, I
met the following line in service.names which looks like a Y2K
problem to me: :service1.SN_NEXT 191000101

-- Peter 'Rattacresh' Backes, [log in to unmask]
   TURN OFF AUTO-QUOTING OF THE WHOLE TEXT IF YOU REPLY!!!