[Mailman-Users] web interface tuning
Darich Runyan/OMNI INFOSEC HQ
darich at omni-infosec.com
Tue Nov 8 15:44:28 CET 2005
Mark,
Users was probably not the best term to use. I was speaking of
nefarious bad-doers. I did not want to have anything internet facing
that allowed for any type of administration. Your discussion was
very helpful and I believe that I know how I am going configure it,
well, attempt to configure it.
Thanks,
Darich
On Nov 7, 2005, at 11:24 PM, Mark Sapiro wrote:
> Darich Runyan/OMNI INFOSEC HQ wrote:
>>
>> Is there a way to turn off the ability for users to create list and
>> administer list via the web interface while still allowing them to
>> use the web interface for subscribing?
>
> Creating a list from the web requires that the person doing the create
> know the site passord or a special list creator password. There is no
> need for users or list admins to know these passwords, nor do you even
> have to have a list creator or even a site password if you don't want
> them. The list creator password only allows web based list creation.
> The site password allows web based list creation and full
> administration of all site lists.
>
> I'm confused by what you mean by user in this context. Do you mean
> list
> administrators who are users of your mailman installation or do you
> mean list members?
>
> List administration really requires the web interface as lists
> can't be
> effectively administered without it. There are two passwords involved.
> The optional moderator password allows access to the admindb interface
> only for dealing with various requests and held messages. The admin
> password allows access to all list administration functions. List
> members in general do not know these passwords.
>
> If you want to prohibit using the admin web interface, set up the list
> yourself and don't tell anyone the list password.
>
> If you want to limit the web admin interface to only certain
> functions,
> you can change the ADMIN_CATEGORIES list in mm_cfg.py. You can reorder
> the links at the top of the admin pages with this list, and you can
> delete any pages you don't want available. Note however that you can't
> really eliminate the General Options page because unrecognized pages
> always default to the General Options page whether or not it's in
> ADMIN_CATEGORIES.
>
> None of this affects access to the listinfo page and its subscribe and
> unsubscribe functions.
>
> Other than controlling passwords and using ADMIN_CATEGORIES as above,
> you'd have to modify the code in Mailman/Cgi/admin.py or other Cgi
> modules to change the way things work.
>
> But, the simple answer to your question if it means what it says on
> its
> face is don't tell them the list admin password, the list creator
> password if any and the site password if any.
>
> --
> Mark Sapiro <msapiro at value.net> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
>
---
Darich Runyan
President/Principal Consultant
Omni Infosec Ltd.
734 Thimble Shoals Blvd.
Newport News, VA 23606
757-876-3805
More information about the Mailman-Users
mailing list