[Mailman-Developers] Doubt about security
skip at pobox.com
skip at pobox.com
Mon Jan 5 19:12:31 CET 2009
Mark> The answer is to use strong passwords, and if you are really
Mark> concerned, don't advertise any lists and remove Mailman's
Mark> cgi-bin/create wrapper so lists can't be created from the web, or
Mark> alternatively just don't set site admin or list creator passwords
Mark> or remove data/adm.pw and data/creator.pw to remove those set
Mark> previously.
I suspect the default should be to not expose those things. I wasn't even
aware that list creation through the web was possible. Based on the
extremely novice questions I see posted to mailman-users on occasion I
suspect many potential Mailman admins are unaware of this as well. I fear
those admins are also the ones most likely to not create strong passwords.
Maybe all that's necessary is to install cgi-bin/create as
cgi-bin/create.disabled by default, set its permissions to not allow
execution and add a note to the installation docs about the consequences of
through-the-web list creation and how to set it up.
Skip
More information about the Mailman-Developers
mailing list