Hello, Michael Paoli and the 38 other members of this 40-subscriber mailing list.
As listadmin, I've just received one of these for each of the three BALUG mailing lists. Am guessing Dreamhost did a password reset to comply with a trouble ticket from Michael Hubbard, their customer (last I heard) for shared-hosting of balug.org.
Reviewing facts I doubtless once knew but forgot again ;-> , I see Michael Paoli is currently owner ('Regisrant') of domain balug.org. (Any time you want to make DNS revisions, I stand ready to help.)
So: I've just changed the listadmin passwords for balug-admin, balug-talk, and balug-announce from the temporary password redacted below to one that is not guessable but still reasonable to type -- same password for all three.
Michael P., please call me to get the new password.[1]
We should review policy and procedures. Is there a third core BALUG person who should hold the listadmin password? Three is better redundancy than two, and I've found works well enough.
Also, are there people beyond just me who're willing to receive Mailman notices of held messages and (potentially) other automated administrative notices? Currently, it's just me.
[1] If you're not Michael P. but can believably impersonate him on the telephone, please don't call me to get the new password. ;->
----- Forwarded message from mailman@listserver-grail.dreamhost.com -----
Date: Tue, 28 Mar 2017 10:53:10 -0700 From: mailman@listserver-grail.dreamhost.com To: rick@linuxmafia.com Subject: Your new balug-admin-balug.org list password
The site administrator at lists.balug.org has changed the password for your mailing list balug-admin-balug.org. It is now
[redacted]
Please be sure to use this for all future list administration. You may want to log in now to your list and change the password to something more to your liking. Visit your list admin page at
http://lists.balug.org/admin.cgi/balug-admin-balug.org
----- End forwarded message -----
Rick,
Might be a bit late/early for calling now 8-O But maybe I didn't miss the mark by *too* much ;-) mpaoli@linuxmafia:~$ date; hostname; who -Hu | cut -c-9,36-40 | awk '{if(($2 ~ /^IDLE/)||(($2!~/^old$/)&&($1!~/^mpaoli$/)&&($2~!/^(0[2-9]|[1-9])/)))print;}' Wed Mar 29 04:19:09 PDT 2017 linuxmafia.com NAME IDLE rick 01:59 mpaoli@linuxmafia:~$ But still, rather late/early to be ringing the phone.
Rick, if you wish, you could alternatively drop the password in this file: $ hostname; ls -ld ~/.auth.info linuxmafia.com -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info $ Optionally first encrypting it to one of these keys: pub 4096R/430AF5E7 2012-05-09 Key fingerprint = 1064 5351 F62D 42C3 89A2 99A9 AACC AC21 430A F5E7 uid Michael Paoli Michael.Paoli@cal.berkeley.edu uid Michael Paoli sub 4096R/E89EA70B 2012-05-09
or:
pub 4096R/878BD8C0 2015-02-02 Key fingerprint = 960C 4BE6 4873 7D42 87DC 188F E8A5 5E60 878B D8C0 uid San Francisco Linux Users' Group (SF-LUG) postmaster@sf-lug.org sub 4096R/2830B82F 2015-02-02 (the latter of those keys is also still used daily by: $ hostname && ls -ld /etc/cron.daily/sf-lug-roster linuxmafia.com -rwxr-xr-x 1 root root 654 Feb 2 2015 /etc/cron.daily/sf-lug-roster $ )
And shoot me (or this list) an email once you've done so, and I can snag the password data from there (and decrypt it if so encrypted) and once verified (and making encrypted backups of it) I can remove the file you dropped it in and let you know I've successfully obtained and validated it.
And my first order of business with that will be to get fresh copies of the roster lists! Last backups I have of those are presently *many* months out-of-date. I generally back 'em up about monthly ... but haven't been able to do that without working password - so it's been a while. 8-O
Being able to get roster lists again will also get me one step closer to migrating lists off of DreamHost.com (still need to get that done).
Or if you prefer, you can call me (at some reasonable hour): 1-510-883-0772 (can leave voicemail if you don't catch me live) - you may also note that that number is listed on the BALUG.ORG whois data.
Or if you'd still rather I give you a call, let me know, and I'll do so at some more reasonable hour sometime fairly soon when I get more reasonable opportunity.
Oh, and much thanks too for all you do regarding the lists and the Linux community, etc. Much appreciated.
And thanks too to Michael Hubbard for getting the password reset and carrying BALUG on his DreamHost.com account.
From: "Rick Moen" rick@linuxmafia.com Subject: [BALUG-Admin] (forw) Your new balug-admin-balug.org list password Date: Tue, 28 Mar 2017 11:58:40 -0700
Hello, Michael Paoli and the 38 other members of this 40-subscriber mailing list.
As listadmin, I've just received one of these for each of the three BALUG mailing lists. Am guessing Dreamhost did a password reset to comply with a trouble ticket from Michael Hubbard, their customer (last I heard) for shared-hosting of balug.org.
Reviewing facts I doubtless once knew but forgot again ;-> , I see Michael Paoli is currently owner ('Regisrant') of domain balug.org. (Any time you want to make DNS revisions, I stand ready to help.)
So: I've just changed the listadmin passwords for balug-admin, balug-talk, and balug-announce from the temporary password redacted below to one that is not guessable but still reasonable to type -- same password for all three.
Michael P., please call me to get the new password.[1]
We should review policy and procedures. Is there a third core BALUG person who should hold the listadmin password? Three is better redundancy than two, and I've found works well enough.
Also, are there people beyond just me who're willing to receive Mailman notices of held messages and (potentially) other automated administrative notices? Currently, it's just me.
[1] If you're not Michael P. but can believably impersonate him on the telephone, please don't call me to get the new password. ;->
----- Forwarded message from mailman@listserver-grail.dreamhost.com -----
Date: Tue, 28 Mar 2017 10:53:10 -0700 From: mailman@listserver-grail.dreamhost.com To: rick@linuxmafia.com Subject: Your new balug-admin-balug.org list password
The site administrator at lists.balug.org has changed the password for your mailing list balug-admin-balug.org. It is now
[redacted]Please be sure to use this for all future list administration. You may want to log in now to your list and change the password to something more to your liking. Visit your list admin page at
http://lists.balug.org/admin.cgi/balug-admin-balug.org----- End forwarded message -----
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Rick,
Might be a bit late/early for calling now 8-O But maybe I didn't miss the mark by *too* much ;-)
No worries!
Rick, if you wish, you could alternatively drop the password in this file: $ hostname; ls -ld ~/.auth.info linuxmafia.com -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info $
Done! Good idea.
IMO, Mailman listadmin passwords are a medium-security scenario -- on the low side of medium. Because by default a stolen listadmin password can do some mischief but not a lot of harm and such harm can be easily fixed and the person in question locked out again.
By default, Mailman variable OWNERS_CAN_DELETE_THEIR_OWN_LISTS is set 'no' in mm_cfg.py. Unless that has been locally changed to 'yes' by the local site administrator, listadmins cannot summarily delete mailing lists from the Web, only using $MAILMAN_HOME/bin/rmlist at the command line.
Short of that deed, there's only minor annoyances that an intruder with the listadmin password is likely to do -- and those are relatively easy to notice and un-do.
Therefore, IMO, extreme caution about the listadmin password and mind-numbingly complex choice of password is not justified by the downside risk of someone guessing or dictionary-attacking the WebUI credential. (Honestly, nobody dictionary-attacks that, because it's not worth the trouble and immense amounts of time required.
And my first order of business with that will be to get fresh copies of the roster lists!
Tools to script this from the Web side: https://wiki.list.org/DOC/How%20do%20I%20extract%20%28export%29%20a%20list%2...
And thanks too to Michael Hubbard for getting the password reset and carrying BALUG on his DreamHost.com account.
Any chance Michael should be the third possessor of the listadmin password? It's a small thing, but I think two possessors is a little thin in much the same way that two authoritative nameservers for a domain is a little SPoF-leaning.
Well, got the password fine, works find on the talk and admin lists but ... alas, not on the announce list. If you still have a "logged in" (cookie authorized) web session on the announce list, might want to try that first, and see if you can set password to what we're expecting it to be. If not [8-O] your guess is probably better than mine - I tried the new one several times, the old one, some slight variations of the new one, but none worked for me on the announce list.
Anyway, let me know if you're able to get that to what we expect it to be on the announce list - and verified working as expected ... does work fine on the other two - thanks! :-) And, yes, now have the rosters freshly backed up for 2 of the 3 lists.
From: "Rick Moen" rick@linuxmafia.com Subject: Re: [BALUG-Admin] (forw) Your new balug-admin-balug.org list password Date: Wed, 29 Mar 2017 11:59:07 -0700
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Rick,
Might be a bit late/early for calling now 8-O But maybe I didn't miss the mark by *too* much ;-)
No worries!
Rick, if you wish, you could alternatively drop the password in this file: $ hostname; ls -ld ~/.auth.info linuxmafia.com -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info $
Done! Good idea.
IMO, Mailman listadmin passwords are a medium-security scenario -- on the low side of medium. Because by default a stolen listadmin password can do some mischief but not a lot of harm and such harm can be easily fixed and the person in question locked out again.
By default, Mailman variable OWNERS_CAN_DELETE_THEIR_OWN_LISTS is set 'no' in mm_cfg.py. Unless that has been locally changed to 'yes' by the local site administrator, listadmins cannot summarily delete mailing lists from the Web, only using $MAILMAN_HOME/bin/rmlist at the command line.
Short of that deed, there's only minor annoyances that an intruder with the listadmin password is likely to do -- and those are relatively easy to notice and un-do.
Therefore, IMO, extreme caution about the listadmin password and mind-numbingly complex choice of password is not justified by the downside risk of someone guessing or dictionary-attacking the WebUI credential. (Honestly, nobody dictionary-attacks that, because it's not worth the trouble and immense amounts of time required.
And my first order of business with that will be to get fresh copies of the roster lists!
Tools to script this from the Web side: https://wiki.list.org/DOC/How%20do%20I%20extract%20%28export%29%20a%20list%2...
And thanks too to Michael Hubbard for getting the password reset and carrying BALUG on his DreamHost.com account.
Any chance Michael should be the third possessor of the listadmin password? It's a small thing, but I think two possessors is a little thin in much the same way that two authoritative nameservers for a domain is a little SPoF-leaning.
BALUG-Admin mailing list BALUG-Admin@lists.balug.org http://lists.balug.org/listinfo.cgi/balug-admin-balug.org
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Well, got the password fine, works find on the talk and admin lists but ... alas, not on the announce list.
Fixed. I had hit the 'Submit Your Changes' button, I swear, but probably didn't absolutely verify that I got a page reload, and on present evidence I did _not_ get a page reload, as the temporary password set by DreamHost Support was still accepted.
This time, I did verify page reload.
No thoughts / candidates for a third listadmin?
Thanks, verified, etc., and roster for all 3 list now backed up.
3rd list admin? I could peek at my notes ... seems earlier time we changed password we shared it among 3? - but I may be mis-remembering. It was 2 or 3, anyway.
Can put out call for volunteers! :-) ... but I suspect we may hear crickets.
And yes, I think 3 is about idea, ... but since, at least theoretically, this is only shortish-term remaining on DreamHost, I tend to think two is "okay" for now ... I'm more interested in working on getting it off of DreamHost - and as smoothly as feasible - in reasonable timeframe ... than spending cycles "recruiting" a 3rd list admin ... but if one jumps up and volunteers. :-)
I'll also update list stats around 2017-04-01 - now that I have access to rosters again. (I think I've also omitted SF-LUG list stats for a while now - I used to process and put out both right around the same time, and generally about monthly). Anyway, now have access to the BALUG data again ... and have had the SF-LUG data all along (and the SF-LUG stuff is automagically backed up daily). I typically do offsite backup rotations about monthly - typically around the 1st of the month. Additional backups, "of course", may also occur more frequently.
From: "Rick Moen" rick@linuxmafia.com Subject: Re: [BALUG-Admin] 2 out of 3? 8-O Re: (forw) Your new balug-admin-balug.org list password Date: Wed, 29 Mar 2017 22:07:02 -0700
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Well, got the password fine, works find on the talk and admin lists but ... alas, not on the announce list.
Fixed. I had hit the 'Submit Your Changes' button, I swear, but probably didn't absolutely verify that I got a page reload, and on present evidence I did _not_ get a page reload, as the temporary password set by DreamHost Support was still accepted.
This time, I did verify page reload.
No thoughts / candidates for a third listadmin?
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Thanks, verified, etc., and roster for all 3 list now backed up.
Coolness.
Anyway, now have access to the BALUG data again
Except the archive.
It's a bummer that Dreamworks's Mailman setup doesn't give public access to the cumulative mbox file. As you know, _often_ the mbox URL can be reconstructed from the public archive URL using a .mbox extension. Example:
http://linuxmafia.com/pipermail/sf-lug/ <- archives URL http://linuxmafia.com/pipermail/sf-lug.mbox/sf-lug.mbox <-cumulative mbox
However, Dreamhost has configured its setup in such a way as to sabotage that function, so I guess at the time of cutover, someone will need to file a trouble ticket asking Dreahost's NOC to furnish the mbox manually.
3rd list admin? I could peek at my notes ... seems earlier time we changed password we shared it among 3? - but I may be mis-remembering. It was 2 or 3, anyway.
The main thing to stress is that there should be a third person who _knows_ the listadmin password on behalf of BALUG, in case, e.g., you and I get run over by the same bus. It needn't be someone willing and able to do administration.
Speaking of, feel invited to add yourself to the roster of 'list administrator email addresses' (General Options) on balug-talk, balug-announce, and balug-talk. Currently, only I get administrative notices.
On 30/03/17 00:44, Rick Moen wrote:
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
3rd list admin? I could peek at my notes ... seems earlier time we changed password we shared it among 3? - but I may be mis-remembering. It was 2 or 3, anyway.
The main thing to stress is that there should be a third person who _knows_ the listadmin password on behalf of BALUG, in case, e.g., you and I get run over by the same bus. It needn't be someone willing and able to do administration.
Well, I stayed silent because I'm moving and distracted by several other projects. But if you just need a human piece of paper, I'll step up.