[BALUG-Admin] 2 out of 3? 8-O Re: (forw) Your new balug-admin-balug.org list password

Michael Paoli Michael.Paoli@cal.berkeley.edu
Wed Mar 29 21:07:25 PDT 2017


Well, got the password fine,
works find on the talk and admin lists but ...
alas, not on the announce list.
If you still have a "logged in" (cookie authorized) web
session on the announce list, might want to try that first,
and see if you can set password to what we're expecting it
to be.  If not [8-O] your guess is probably better than
mine - I tried the new one several times, the old one, some
slight variations of the new one, but none worked for me on
the announce list.

Anyway, let me know if you're able to get that to what we
expect it to be on the announce list - and verified working
as expected ... does work fine on the other two - thanks!  :-)
And, yes, now have the rosters freshly backed up for 2 of the 3
lists.


> From: "Rick Moen" <rick@linuxmafia.com>
> Subject: Re: [BALUG-Admin] (forw) Your new balug-admin-balug.org  
> list password
> Date: Wed, 29 Mar 2017 11:59:07 -0700

> Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
>
>> Rick,
>>
>> Might be a bit late/early for calling now 8-O
>> But maybe I didn't miss the mark by *too* much ;-)
>
> No worries!
>
>> Rick, if you wish, you could alternatively drop the
>> password in this file:
>> $ hostname; ls -ld ~/.auth.info
>> linuxmafia.com
>> -rw------- 1 mpaoli mpaoli 0 Mar 29 04:05 /home/mpaoli/.auth.info
>> $
>
> Done!  Good idea.
>
>
> IMO, Mailman listadmin passwords are a medium-security scenario -- on the
> low side of medium.  Because by default a stolen listadmin password can
> do some mischief but not a lot of harm and such harm can be easily fixed
> and the person in question locked out again.
>
> By default, Mailman variable OWNERS_CAN_DELETE_THEIR_OWN_LISTS is set 'no'
> in mm_cfg.py.  Unless that has been locally changed to 'yes' by the
> local site administrator, listadmins cannot summarily delete mailing
> lists from the Web, only using $MAILMAN_HOME/bin/rmlist at the command
> line.
>
> Short of that deed, there's only minor annoyances that an intruder with
> the listadmin password is likely to do -- and those are relatively easy
> to notice and un-do.
>
> Therefore, IMO, extreme caution about the listadmin password and
> mind-numbingly complex choice of password is not justified by the
> downside risk of someone guessing or dictionary-attacking the WebUI
> credential.  (Honestly, nobody dictionary-attacks that, because it's not
> worth the trouble and immense amounts of time required.
>
>
>> And my first order of business with that will be to get fresh copies of
>> the roster lists!
>
> Tools to script this from the Web side:
> https://wiki.list.org/DOC/How%20do%20I%20extract%20%28export%29%20a%20list%20of%20my%20list%27s%20members%20%28subscribers%29%3F
>
>> And thanks too to Michael Hubbard for getting the password reset
>> and carrying BALUG on his DreamHost.com account.
>
> Any chance Michael should be the third possessor of the listadmin
> password?  It's a small thing, but I think two possessors is a little
> thin in much the same way that two authoritative nameservers for a
> domain is a little SPoF-leaning.
>
> _______________________________________________
> BALUG-Admin mailing list
> BALUG-Admin@lists.balug.org
> http://lists.balug.org/listinfo.cgi/balug-admin-balug.org
>





More information about the BALUG-Admin mailing list