[Mailman-Users] Umbrella List + Monthly Password Reminders = List Security Issue?

Mike Brudenell pmb1 at york.ac.uk
Thu Jun 1 11:59:57 CEST 2006 

Greetings -

Can someone help me with this please?

We are using Mailman 2.1.8 under Sun Solaris 10 (SPARC).

We have a small number of umbrella lists, each with (only) other lists 
subscribed as their members.  A fictional example:

The umbrella list

    all-depts at lists.york.ac.uk

has members

    astronomy-dept at lists.york.ac.uk
    dentistry-dept at lists.york.ac.uk
    geography-dept at lists.york.ac.uk

The umbrella list is set up with:

    Send password reminders to, eg, "-owner" address instead of directly to
    user. (Details for umbrella_list)
                                                            YES

    Suffix for use when this list is an umbrella for other lists, according
    to setting of previous "umbrella_list" setting.  (Details for
    umbrella_member_suffix)
                                                            -owner

Posting through the umbrella and member lists is working fine.

However I've just found that the monthly password reminders for the 
umbrella lists have been sent out to the subscribed member-list addresses. 
I was instead expecting them to go to these list names suffixed "-owner" 
and hence to the member-lists' owners only.

This means that every person belonging to, say, astronomy-dept now knows 
the membership password used to subscribe it to the all-depts umbrella list!
:-(

The monthly reminders are sent out using the Mailman script 
cron/mailpasswds and executed from cron.

I'm not a Python programmer (yet) but can manage to read the stuff and, as 
far as I can see, there is NOTHING in cron/mailpasswds to spot umbrella 
lists and send their monthly reminder to

    memberlist-owner at lists.york.ac.uk

instead of the subscribed address

    memberlist at lists.york.ac.uk

All the documentation I've read and help pages I've managed to locate give 
no clue of this behaviour.  Instead they strongly imply that by setting the 
umbrella_list setting to YES that "password reminders" are sent to the 
list's owners by adding the specified suffix (typically "-owner") to each 
member's address.

I'm now wondering if this is actually referring only to the "Please remind 
me of my password" link, not the monthly reminder.  If so then a huge 
warning needs adding to the FAQ and documentation about umbrella lists 
advising admins NOT to turn on the monthly reminders for umbrella lists in 
order to avoid this big security issue.

Or am I missing something/have something misconfigured?

Cheers,
Mike Brudenell

-- 
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
Tel:+44-1904-433811  FAX:+44-1904-433740

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

More information about the Mailman-Users mailing list