[Mailman-Users] Secure the admin pages

Mike Hanby flakrat at yahoo.com
Fri Aug 19 17:45:20 CEST 2005


Thanks Jim, I'll give that a shot.

Does anyone know if the admin admindb and others are secure, or are there
known ways to get around them to get to the membership email list?

-----Original Message-----
From: Jim Tittsler [mailto:jwt at onjapan.net] 
Sent: Thursday, August 18, 2005 23:00
To: Mike Hanby
Cc: mailman-users at python.org
Subject: Re: [Mailman-Users] Secure the admin pages

On 2005-08-18 23:14, Mike Hanby wrote:
> Howdy, does anyone know if it's possible to secure the admin pages with an
> .htaccess type security?
[...]
> Ex:  http://www.mydomain.com/mailman/admin/mailinglist
> 
> Going to this page would pop up an Apache login prompt.  If successful,
then
> the page would load where they would then have to log in using mailman's
> "List Administrator Password".

You could use a FilesMatch directive to restrict access to the cgi 
scripts you were interested in:

<FilesMatch (admin|admindb|create|edithtml|rmlist)>
   AuthName "Mailman"
   [...]
   require valid-user
</FilesMatch>

(Or a LocationMatch directive in your Apache configuration.)

Jim

P.S.  Your message might get more attention if you sent a new message 
to the mailing list rather than hijacking an existing thread (as you 
did by replying to a different message and simply changing the 
subject).  People that browse the list by thread might not see your 
message the way you have done it.

-- 
Jim Tittsler     http://www.OnJapan.net/      GPG: 0x01159DB6
Python Starship  http://Starship.Python.net/crew/jwt/
Mailman IRC      irc://irc.freenode.net/#mailman




More information about the Mailman-Users mailing list