[Mailman-Users] MM admin interface wide open

C Nulk CNulk at scu.edu
Thu Aug 27 16:30:25 CEST 2009 

I cannot think of any reason for having a null admin password.  It is
possible for corporate entities as Stefan mentions but even then
probably very rare.  If you are going to add the code to check for a
null admin password, why not add an additional check to see if a new
config option is set to yes - ALLOW_NULL_ADMIN_PWD.  The default would
be NO and for the corporate/groups/individuals that wish a null
password, they can set it to YES in mm_cfg.py.

Just a thought,
Chris

Stefan Förster wrote:
> * Mark Sapiro <mark at msapiro.net>:
>   
>> Mark Sapiro wrote:
>>
>>     
>>> Ulf Hofemeier wrote:
>>>       
>>>> PS. if you email me, I can provide you with the URL to my MM installation.
>>>>         
>>> If you send it to me, I'll check it out.
>>>       
>> After a little off list back and forth, Ulf wrote:
>>
>>     
>>> I had no site admin password set. Setting one with mmsitepass did the  
>>> trick. Thank you for pointing this out. Maybe it would be worthwhile  
>>> to add a line of code that checks whether a site admin pass has been  
>>> set for future versions? I tried to find a solution for my problem on  
>>> your mailman-user list, but couldn't. I have a hard time believing  
>>> that I'm the only one who has run into this problem though.
>>>
>>> Thank you for looking into it. Great support and I appreciate it :-)
>>>       
>> Not having ever set a site password should not cause this problem. If
>> the password was never set, there would be no data/adm.pw file at all
>> and authenticating the site password should fail.
>>
>> I think this issue could only occur if at some point someone actually
>> set a null site password.
>>
>> Still, it's worth fixing it so that a null password doesn't work. I
>> can't see that anyone would actually want passwordless access to the
>> admin interface except maybe in the case of a server that was not
>> exposed on the internet al all, but probably not even then.
>>
>> Does anyone need to have null passwords work in Mailman?
>>     
>
> I could only think of a corporate server, where the directories
> containing Mailman's admin interface are protected by e.g.
> Kerberos/LDAP (i.e. Active Directory).
>
>
> Cheers
> Stefan
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-users/cnulk%40scu.edu
>
> Security Policy: http://wiki.list.org/x/QIA9
>

More information about the Mailman-Users mailing list