[Mailman-Users] web interface tuning

Darich Runyan/OMNI INFOSEC HQ darich at omni-infosec.com
Tue Nov 8 15:44:28 CET 2005


Users was probably not the best term to use.  I was speaking of  
nefarious bad-doers.  I did not want to have anything internet facing  
that allowed for any type of administration.  Your discussion was  
very helpful and I believe that I know how I am going configure it,  
well, attempt to configure it.


On Nov 7, 2005, at 11:24 PM, Mark Sapiro wrote:

> Darich Runyan/OMNI INFOSEC HQ wrote:
>> Is there a way to turn off the ability for users to create list and
>> administer list via the web interface while still allowing them to
>> use the web interface for subscribing?
> Creating a list from the web requires that the person doing the create
> know the site passord or a special list creator password. There is no
> need for users or list admins to know these passwords, nor do you even
> have to have a list creator or even a site password if you don't want
> them. The list creator password only allows web based list creation.
> The site password allows web based list creation and full
> administration of all site lists.
> I'm confused by what you mean by user in this context. Do you mean  
> list
> administrators who are users of your mailman installation or do you
> mean list members?
> List administration really requires the web interface as lists  
> can't be
> effectively administered without it. There are two passwords involved.
> The optional moderator password allows access to the admindb interface
> only for dealing with various requests and held messages. The admin
> password allows access to all list administration functions. List
> members in general do not know these passwords.
> If you want to prohibit using the admin web interface, set up the list
> yourself and don't tell anyone the list password.
> If you want to limit the web admin interface to only certain  
> functions,
> you can change the ADMIN_CATEGORIES list in mm_cfg.py. You can reorder
> the links at the top of the admin pages with this list, and you can
> delete any pages you don't want available. Note however that you can't
> really eliminate the General Options page because unrecognized pages
> always default to the General Options page whether or not it's in
> None of this affects access to the listinfo page and its subscribe and
> unsubscribe functions.
> Other than controlling passwords and using ADMIN_CATEGORIES as above,
> you'd have to modify the code in Mailman/Cgi/admin.py or other Cgi
> modules to change the way things work.
> But, the simple answer to your question if it means what it says on  
> its
> face is don't tell them the list admin password, the list creator
> password if any and the site password if any.
> -- 
> Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan

Darich Runyan
President/Principal Consultant
Omni Infosec Ltd.
734 Thimble Shoals Blvd.
Newport News, VA 23606

More information about the Mailman-Users mailing list