[BALUG-Admin] time to change list ... passwords

Michael Paoli Michael.Paoli@cal.berkeley.edu
Wed Apr 15 20:43:09 PDT 2009 

Looks like "Moderator" password is a non-issue[1].

"Admin" passwords were changed earlier, ... so we should be in
pretty good shape at this point.

footnotes/references/excerpts:
1. once upon a time the "Moderator" password was set.  The one I had in
my notes was, I believe, passed to me the same time the "Admin" password had
been much earlier passed to me.  I'm also fairly certain "way back then"
I verified that each password worked on each of the lists.  Seems "Moderator"
password/functionality is disabled (as we desire it), as A) I checked, and
the old "Moderator" password no longer works, and B) the GUI admin stuff
quite effectively states that the "Moderator" role only works if both a
password is set for it, and an email is set for "Moderator" - and I
checked and all three lists have no email set for "Moderator" - so I believe
that effectively disables any "Moderator" capability or login - so I think
we're well covered there.

Quoting "Rick Moen" <rick@linuxmafia.com>:

> Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
>
>> Thanks - got it (from earlier encrypted contents you sent me) and verified
>> it authenticates.
>
>> Also, as you mentioned, "Moderator" password....
>
> I recommend against ever using this function, by the way.  So, there's
> no point in setting its password.  (I can detail the reason for that
> recommendation if anyone's interested.  Long story.  Short version is
> that it leads directly to mishaps that the person wielding that password
> cannot fix.)
>
>> It's quite possible many of the "misconfiguration" changes may have been
>> done - perhaps by someone who has "Moderator" password, and may not
>> even have "Admin" password.
>
> I don't think so, because I'm pretty sure nobody has set that password.
> However, the mishaps I allude to above involve someone accidentally
> checking a "autodiscard" or "ban" control on the admin queue page and
> submitting changes, then being unable to remove that address from the
> autodiscard or ban rosters upon realising his/her mistake, because those
> rosters are on an admin page to which moderators lack access.
>
> So, in theory, someone wielding a moderator password could have
> accidentally put Christian Einfeldt's address on the autodiscard list.
> All the other changes I discussed are possible only with a listadmin
> password.
>
>> If you don't want to be bothered with changing the "Moderator" password
>> (you already covered "Admin" - Thanks!) ... just say the word
>> and I'll take care of "Moderator" password.
>
> You're welcome to set it to something obscure and then forget what it
> is.  That's probably the smartest thing to do with it.  ;->

More information about the BALUG-Admin mailing list