[Mailman-Users] Viewing Full Subscriber & Subscriber Security

Cyndi Norwitz cyndi at tikvah.com
Sun Dec 2 01:58:54 CET 2007 

   Date: Sat, 1 Dec 2007 15:32:45 -0800
   From: Mark Sapiro <mark at msapiro.net>

   There are bug reports and feature requests in the sourceforge tracker
   about this and lots of email in the archives. I'm embarrased to say
   one of the bug reports is mine and I've never fixed it. See
   <http://sourceforge.net/tracker/index.php?func=detail&aid=1072002&group_id=103&atid=100103>,
   <http://sourceforge.net/tracker/index.php?func=detail&aid=782436&group_id=103&atid=350103>
   and
   <http://www.google.com/search?q=site%3Amail.python.org++inurl%3Amailman++admin_member_chunksize>

Well, there are things that have been in my inbox for years too :)

But if you want a "me too" for making it a priority, here it is.

   The short answer is the Mailman admins at the ISP have to do it. There
   is a site configuration setting DEFAULT_ADMIN_MEMBER_CHUNKSIZE which
   defaults to 30 and sets the list's admin_member_chunksize attribute at
   list create time. This in turn is the number above which the
   membership is 'chunked'.

Thanks, I will pass this on to the site admins.

   >Then there is a security question.  When I got the roster (requiring no
   >password), each name on the list was clickable.  When I clicked on a
   >name, it took me to the subscription page for that person.  Without
   >requiring a password.  When I did it for my own name I figured that my
   >password was just in a cookie.  But it works for a random name too.

   If this were a real security issue, it should be posted per
   <http://www.python.org/cgi-bin/faqw-mm.py?req=show&amp;file=faq01.027.htp>
   (see Security Policy in the list footer), but I don't think it is.

Nodding.  That is good news.

   >Of course, the roster page should be passworded too...is it really
   >possible for anyone to view my subscriber list?  Can those of you who
   >don't have a Sonic IP view it?

   The roster can be set on Privacy options...->Subscription
   rules->private_roster to be viewable by Anyone, List members or the
   List admin only. Even if it is viewable by anyone, the links to users
   options page will normally take one to the user's login page.

I do have the list set to Who can view subscription list?: List admin
only. 

   If you clicked a random name and got to the user's actual options page,
   you had the list admin cookie which allows you to visit any user's
   options page.

Okay.

Can anyone else see my roster?
http://lists.sonic.net/mailman/roster/lcveg

Thanks,
Cyndi

P.S. That test of HTML options you asked for is still on my to-do list.

More information about the Mailman-Users mailing list