[BALUG-Admin] (forw) Your new balug-admin-balug.org list password
Wed Mar 29 11:59:07 PDT 2017
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
> Might be a bit late/early for calling now 8-O
> But maybe I didn't miss the mark by *too* much ;-)
> Rick, if you wish, you could alternatively drop the
> password in this file:
> $ hostname; ls -ld ~/.auth.info
> -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info
Done! Good idea.
IMO, Mailman listadmin passwords are a medium-security scenario -- on the
low side of medium. Because by default a stolen listadmin password can
do some mischief but not a lot of harm and such harm can be easily fixed
and the person in question locked out again.
By default, Mailman variable OWNERS_CAN_DELETE_THEIR_OWN_LISTS is set 'no'
in mm_cfg.py. Unless that has been locally changed to 'yes' by the
local site administrator, listadmins cannot summarily delete mailing
lists from the Web, only using $MAILMAN_HOME/bin/rmlist at the command
Short of that deed, there's only minor annoyances that an intruder with
the listadmin password is likely to do -- and those are relatively easy
to notice and un-do.
Therefore, IMO, extreme caution about the listadmin password and
mind-numbingly complex choice of password is not justified by the
downside risk of someone guessing or dictionary-attacking the WebUI
credential. (Honestly, nobody dictionary-attacks that, because it's not
worth the trouble and immense amounts of time required.
> And my first order of business with that will be to get fresh copies of
> the roster lists!
Tools to script this from the Web side:
> And thanks too to Michael Hubbard for getting the password reset
> and carrying BALUG on his DreamHost.com account.
Any chance Michael should be the third possessor of the listadmin
password? It's a small thing, but I think two possessors is a little
thin in much the same way that two authoritative nameservers for a
domain is a little SPoF-leaning.
More information about the BALUG-Admin