[Mailman-Users] Umbrella List + Monthly Password Reminders = ListSecurity Issue?

[Mark Sapiro]

Mike Brudenell wrote:
>
>All the documentation I've read and help pages I've managed to locate give 
>no clue of this behaviour.  Instead they strongly imply that by setting the 
>umbrella_list setting to YES that "password reminders" are sent to the 
>list's owners by adding the specified suffix (typically "-owner") to each 
>member's address.
>
>I'm now wondering if this is actually referring only to the "Please remind 
>me of my password" link, not the monthly reminder.  If so then a huge 
>warning needs adding to the FAQ and documentation about umbrella lists 
>advising admins NOT to turn on the monthly reminders for umbrella lists in 
>order to avoid this big security issue.
>
>Or am I missing something/have something misconfigured?


I think you are correct. I think cron/mailpasswds should be fixed. I
don't know how this has been ignored for so long.


In the mean time, I think the following (Warning - totally untested and
watch out for wrapped lines) patch will fix it.

--- mailpasswds 2006-04-15 17:38:24.000000000 -0700
+++ mailpasswdsx        2006-06-01 07:30:07.843750000 -0700
@@ -162,6 +162,8 @@
                 optionsurl = mlist.GetOptionsURL(member)
                 lang = mlist.getMemberLanguage(member)
                 info = (listaddr, password, optionsurl, lang)
+                if mlist.umbrella_list:
+                    member = mlist.GetMemberAdminEmail(member).lower()
                 userinfo.setdefault(member, []).append(info)
         # Now that we've collected user information for this host,
send each
         # user the password reminder.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan