Jan. 5, 2009
6:12 p.m.
Mark> The answer is to use strong passwords, and if you are really
Mark> concerned, don't advertise any lists and remove Mailman's
Mark> cgi-bin/create wrapper so lists can't be created from the web, or
Mark> alternatively just don't set site admin or list creator passwords
Mark> or remove data/adm.pw and data/creator.pw to remove those set
Mark> previously.I suspect the default should be to not expose those things. I wasn't even aware that list creation through the web was possible. Based on the extremely novice questions I see posted to mailman-users on occasion I suspect many potential Mailman admins are unaware of this as well. I fear those admins are also the ones most likely to not create strong passwords.
Maybe all that's necessary is to install cgi-bin/create as cgi-bin/create.disabled by default, set its permissions to not allow execution and add a note to the installation docs about the consequences of through-the-web list creation and how to set it up.
Skip