[Mailman-Users] listname-request who command

Mark Sapiro msapiro at value.net
Fri Mar 23 04:20:17 CET 2007


Patrick Bogen wrote:

>On 3/21/07, Jennifer Oxelson <oxelson at unidata.ucar.edu> wrote:
>> The issue is I can send the 'who' email command with the admin password
>> from /*any*/ email address (not even subscribed) and get the roster...
>> is this right?   Wouldn't it be better if the 'who' command only worked
>> for email addresses corresponding to list admins/moderators when the
>> list roster is configured to be only available to these privileged
>> users?  (Or am I being overly paranoid?)
>
>Checking the email address would only add a sense of security, not any
>real security. Email addresses are *easily* forged. Trivially forged,
>even.
>
>So, this might actually even be a bad thing, since it will give a
>false sense of security while actually adding none.


Patrick is correct, but the real issue here is that by definition a
Mailman list admin or moderator is anyone who knows the respective
password. Thus, by providing the password, you have identified
yourself as a list admin regardless of your email address (or the
address you want the list sent to).

See FAQ's
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.060.htp>
and
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.027.htp>.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the Mailman-Users mailing list