[BALUG-Admin] (forw) Your new balug-admin-balug.org list password

Rick Moen rick@linuxmafia.com
Wed Mar 29 11:59:07 PDT 2017

Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> Rick,
> Might be a bit late/early for calling now 8-O
> But maybe I didn't miss the mark by *too* much ;-)

No worries!

> Rick, if you wish, you could alternatively drop the
> password in this file:
> $ hostname; ls -ld ~/.auth.info
> linuxmafia.com
> -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info
> $

Done!  Good idea.

IMO, Mailman listadmin passwords are a medium-security scenario -- on the
low side of medium.  Because by default a stolen listadmin password can
do some mischief but not a lot of harm and such harm can be easily fixed
and the person in question locked out again.

By default, Mailman variable OWNERS_CAN_DELETE_THEIR_OWN_LISTS is set 'no'
in mm_cfg.py.  Unless that has been locally changed to 'yes' by the
local site administrator, listadmins cannot summarily delete mailing
lists from the Web, only using $MAILMAN_HOME/bin/rmlist at the command

Short of that deed, there's only minor annoyances that an intruder with
the listadmin password is likely to do -- and those are relatively easy
to notice and un-do.

Therefore, IMO, extreme caution about the listadmin password and
mind-numbingly complex choice of password is not justified by the
downside risk of someone guessing or dictionary-attacking the WebUI
credential.  (Honestly, nobody dictionary-attacks that, because it's not
worth the trouble and immense amounts of time required.

> And my first order of business with that will be to get fresh copies of
> the roster lists!

Tools to script this from the Web side:

> And thanks too to Michael Hubbard for getting the password reset
> and carrying BALUG on his DreamHost.com account.

Any chance Michael should be the third possessor of the listadmin
password?  It's a small thing, but I think two possessors is a little
thin in much the same way that two authoritative nameservers for a
domain is a little SPoF-leaning.

More information about the BALUG-Admin mailing list