[Mailman-Users] Viewing Full Subscriber & Subscriber Security

Mark Sapiro mark at msapiro.net
Sun Dec 2 00:32:45 CET 2007 

Cyndi Norwitz wrote:
>
>Is there a way to see the entire membership list with all the interactive
>boxes I get as an admin? 
>
>Is this a setting on the ISP's end?  Can they make the option available?
>or at least raise the threshhold for putting the list into letter-only
>status?


There are bug reports and feature requests in the sourceforge tracker
about this and lots of email in the archives. I'm embarrased to say
one of the bug reports is mine and I've never fixed it. See
<http://sourceforge.net/tracker/index.php?func=detail&aid=1072002&group_id=103&atid=100103>,
<http://sourceforge.net/tracker/index.php?func=detail&aid=782436&group_id=103&atid=350103>
and
<http://www.google.com/search?q=site%3Amail.python.org++inurl%3Amailman++admin_member_chunksize>

The short answer is the Mailman admins at the ISP have to do it. There
is a site configuration setting DEFAULT_ADMIN_MEMBER_CHUNKSIZE which
defaults to 30 and sets the list's admin_member_chunksize attribute at
list create time. This in turn is the number above which the
membership is 'chunked'.

This can be changed for a list by running

bin/config_list -i <input_file> <listname>

with an input file containing the single line

admin_member_chunksize = 200

or whatever number you want, but this has to be don by someone with
command line access to the installation.


>Then there is a security question.  When I got the roster (requiring no
>password), each name on the list was clickable.  When I clicked on a name,
>it took me to the subscription page for that person.  Without requiring a
>password.  When I did it for my own name I figured that my password was
>just in a cookie.  But it works for a random name too.


If this were a real security issue, it should be posted per
<http://www.python.org/cgi-bin/faqw-mm.py?req=show&amp;file=faq01.027.htp>
(see Security Policy in the list footer), but I don't think it is.


>Of course, the roster page should be passworded too...is it really possible
>for anyone to view my subscriber list?  Can those of you who don't have a
>Sonic IP view it?  


The roster can be set on Privacy options...->Subscription
rules->private_roster to be viewable by Anyone, List members or the
List admin only. Even if it is viewable by anyone, the links to users
options page will normally take one to the user's login page.

If you clicked a random name and got to the user's actual options page,
you had the list admin cookie which allows you to visit any user's
options page.


>Are there settings on my end that I need to re-do?  Are there settings on
>Sonic's end?


Yes, you need to be sure that Privacy options...->Subscription
rules->private_roster is set to List members or List admin only as you
prefer.

You also have to recognize that once you've logged in to the admin
interface for a list, you have the admin cookie for the duration of
your browser session unless you explicitly log out from the admin
interface. With that cookie, you can visit any users options page from
the roster (and change their options), just as you can from the admin
membership list.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list