Umbrella List + Monthly Password Reminders = List Security Issue?
Greetings -
Can someone help me with this please?
We are using Mailman 2.1.8 under Sun Solaris 10 (SPARC).
We have a small number of umbrella lists, each with (only) other lists subscribed as their members. A fictional example:
The umbrella list
all-depts@lists.york.ac.ukhas members
astronomy-dept@lists.york.ac.uk
dentistry-dept@lists.york.ac.uk
geography-dept@lists.york.ac.ukThe umbrella list is set up with:
Send password reminders to, eg, "-owner" address instead of directly to
user. (Details for umbrella_list)
YES
Suffix for use when this list is an umbrella for other lists, according
to setting of previous "umbrella_list" setting. (Details for
umbrella_member_suffix)
-ownerPosting through the umbrella and member lists is working fine.
However I've just found that the monthly password reminders for the umbrella lists have been sent out to the subscribed member-list addresses. I was instead expecting them to go to these list names suffixed "-owner" and hence to the member-lists' owners only.
This means that every person belonging to, say, astronomy-dept now knows the membership password used to subscribe it to the all-depts umbrella list! :-(
The monthly reminders are sent out using the Mailman script cron/mailpasswds and executed from cron.
I'm not a Python programmer (yet) but can manage to read the stuff and, as far as I can see, there is NOTHING in cron/mailpasswds to spot umbrella lists and send their monthly reminder to
memberlist-owner@lists.york.ac.ukinstead of the subscribed address
memberlist@lists.york.ac.ukAll the documentation I've read and help pages I've managed to locate give no clue of this behaviour. Instead they strongly imply that by setting the umbrella_list setting to YES that "password reminders" are sent to the list's owners by adding the specified suffix (typically "-owner") to each member's address.
I'm now wondering if this is actually referring only to the "Please remind me of my password" link, not the monthly reminder. If so then a huge warning needs adding to the FAQ and documentation about umbrella lists advising admins NOT to turn on the monthly reminders for umbrella lists in order to avoid this big security issue.
Or am I missing something/have something misconfigured?
Cheers, Mike Brudenell
-- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740
- Unsolicited commercial e-mail is NOT welcome at this e-mail address. *
Mike Brudenell wrote:
I think you are correct. I think cron/mailpasswds should be fixed. I don't know how this has been ignored for so long. In the mean time, I think the following (Warning - totally untested and watch out for wrapped lines) patch will fix it. --- mailpasswds 2006-04-15 17:38:24.000000000 -0700 +++ mailpasswdsx 2006-06-01 07:30:07.843750000 -0700 @@ -162,6 +162,8 @@ optionsurl = mlist.GetOptionsURL(member) lang = mlist.getMemberLanguage(member) info = (listaddr, password, optionsurl, lang) + if mlist.umbrella_list: + member = mlist.GetMemberAdminEmail(member).lower() userinfo.setdefault(member, []).append(info) # Now that we've collected user information for this host, send each # user the password reminder. -- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mike Brudenell wrote:
I think you are correct. I think cron/mailpasswds should be fixed. I don't know how this has been ignored for so long. In the mean time, I think the following (Warning - totally untested and watch out for wrapped lines) patch will fix it. --- mailpasswds 2006-04-15 17:38:24.000000000 -0700 +++ mailpasswdsx 2006-06-01 07:30:07.843750000 -0700 @@ -162,6 +162,8 @@ optionsurl = mlist.GetOptionsURL(member) lang = mlist.getMemberLanguage(member) info = (listaddr, password, optionsurl, lang) + if mlist.umbrella_list: + member = mlist.GetMemberAdminEmail(member).lower() userinfo.setdefault(member, []).append(info) # Now that we've collected user information for this host, send each # user the password reminder. -- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro -
Mike Brudenell