Viewing Full Subscriber & Subscriber Security
Hi, I'm new to the list, though I undoubtedly know some of you from other list management lists. I am in the process of migrating my mailing lists from majordomo on a friend's server to mailman at sonic.net.
I have many questions which I haven't been able to answer by reading the FAQ's. Some are specific to Sonic most likely and I post those to the Sonic usenet group for mailman, though it's a slow group.
My first question is about how to view my subscriber list. It's not a problem for the small lists. I simply go to that page in the interface and there everyone is.
Unfortunately, once membership hits a certain level, mailman won't provide the full list. Now I have to look by letter. So instead of viewing my subscriber list in one fail swoop, I need to do it 26 times.
The FAQ taught me about the roster page, which is cool, but it just gives the list of names, divided by regular and digest. I can't do things like page down to see who to unmoderate. See: http://lists.sonic.net/mailman/roster/lcveg
Is there a way to see the entire membership list with all the interactive boxes I get as an admin?
Is this a setting on the ISP's end? Can they make the option available? or at least raise the threshhold for putting the list into letter-only status?
Then there is a security question. When I got the roster (requiring no password), each name on the list was clickable. When I clicked on a name, it took me to the subscription page for that person. Without requiring a password. When I did it for my own name I figured that my password was just in a cookie. But it works for a random name too.
Of course, the roster page should be passworded too...is it really possible for anyone to view my subscriber list? Can those of you who don't have a Sonic IP view it?
The addresses may be changed so they're harder for spammers to harvest but they're full addresses that can easily be changed to proper emails. Like with a lot of lists, there are problems with small-time spammers wanting access to subscribers but we also have troublemakers. I don't want my subscribers' email addresses visible to anyone but me. And the subscription settings shouldn't be accessible to just anyone either.
Are there settings on my end that I need to re-do? Are there settings on Sonic's end?
Thanks, Cyndi
Cyndi Norwitz wrote:
Is there a way to see the entire membership list with all the interactive boxes I get as an admin?
Is this a setting on the ISP's end? Can they make the option available? or at least raise the threshhold for putting the list into letter-only status?
There are bug reports and feature requests in the sourceforge tracker about this and lots of email in the archives. I'm embarrased to say one of the bug reports is mine and I've never fixed it. See <http://sourceforge.net/tracker/index.php?func=detail&aid=1072002&group_id=103&atid=100103>, <http://sourceforge.net/tracker/index.php?func=detail&aid=782436&group_id=103&atid=350103> and <http://www.google.com/search?q=site%3Amail.python.org++inurl%3Amailman++admi...>
The short answer is the Mailman admins at the ISP have to do it. There is a site configuration setting DEFAULT_ADMIN_MEMBER_CHUNKSIZE which defaults to 30 and sets the list's admin_member_chunksize attribute at list create time. This in turn is the number above which the membership is 'chunked'.
This can be changed for a list by running
bin/config_list -i <input_file> <listname>
with an input file containing the single line
admin_member_chunksize = 200
or whatever number you want, but this has to be don by someone with command line access to the installation.
Then there is a security question. When I got the roster (requiring no password), each name on the list was clickable. When I clicked on a name, it took me to the subscription page for that person. Without requiring a password. When I did it for my own name I figured that my password was just in a cookie. But it works for a random name too.
If this were a real security issue, it should be posted per <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp> (see Security Policy in the list footer), but I don't think it is.
Of course, the roster page should be passworded too...is it really possible for anyone to view my subscriber list? Can those of you who don't have a Sonic IP view it?
The roster can be set on Privacy options...->Subscription rules->private_roster to be viewable by Anyone, List members or the List admin only. Even if it is viewable by anyone, the links to users options page will normally take one to the user's login page.
If you clicked a random name and got to the user's actual options page, you had the list admin cookie which allows you to visit any user's options page.
Are there settings on my end that I need to re-do? Are there settings on Sonic's end?
Yes, you need to be sure that Privacy options...->Subscription rules->private_roster is set to List members or List admin only as you prefer.
You also have to recognize that once you've logged in to the admin interface for a list, you have the admin cookie for the duration of your browser session unless you explicitly log out from the admin interface. With that cookie, you can visit any users options page from the roster (and change their options), just as you can from the admin membership list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Date: Sat, 1 Dec 2007 15:32:45 -0800 From: Mark Sapiro <mark@msapiro.net>
There are bug reports and feature requests in the sourceforge tracker about this and lots of email in the archives. I'm embarrased to say one of the bug reports is mine and I've never fixed it. See <http://sourceforge.net/tracker/index.php?func=detail&aid=1072002&group_id=103&atid=100103>, <http://sourceforge.net/tracker/index.php?func=detail&aid=782436&group_id=103&atid=350103> and <http://www.google.com/search?q=site%3Amail.python.org++inurl%3Amailman++admi...>
Well, there are things that have been in my inbox for years too :)
But if you want a "me too" for making it a priority, here it is.
The short answer is the Mailman admins at the ISP have to do it. There is a site configuration setting DEFAULT_ADMIN_MEMBER_CHUNKSIZE which defaults to 30 and sets the list's admin_member_chunksize attribute at list create time. This in turn is the number above which the membership is 'chunked'.
Thanks, I will pass this on to the site admins.
Then there is a security question. When I got the roster (requiring no password), each name on the list was clickable. When I clicked on a name, it took me to the subscription page for that person. Without requiring a password. When I did it for my own name I figured that my password was just in a cookie. But it works for a random name too.
If this were a real security issue, it should be posted per <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp> (see Security Policy in the list footer), but I don't think it is.
Nodding. That is good news.
Of course, the roster page should be passworded too...is it really possible for anyone to view my subscriber list? Can those of you who don't have a Sonic IP view it?
The roster can be set on Privacy options...->Subscription rules->private_roster to be viewable by Anyone, List members or the List admin only. Even if it is viewable by anyone, the links to users options page will normally take one to the user's login page.
I do have the list set to Who can view subscription list?: List admin only.
If you clicked a random name and got to the user's actual options page, you had the list admin cookie which allows you to visit any user's options page.
Okay.
Can anyone else see my roster? http://lists.sonic.net/mailman/roster/lcveg
Thanks, Cyndi
P.S. That test of HTML options you asked for is still on my to-do list.
participants (2)
-
Cyndi Norwitz -
Mark Sapiro