Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords

Fri, 21 Aug 2009 14:53:22 -0700 

On Fri, 21 Aug 2009, Todd Zullinger wrote:

> This should generate a bit stronger passwords than the previous code,
> which encoded the passwords as hex, limiting the characters in the
> password to the set [0-9a-f].
> ---
>
> The mailman_server class is only included on collab[12] and hosted1,
> so it isn't actually affected by the current freeze policy.  But I
> still wanted to float this by the list for comments and review.
>
> The current fedora-mailing-list-setup script creates a list password
> using:
>
>     file('/dev/urandom', 'r').read(4).encode('hex')
>
> This seems to be a good bit weaker than it needs to be.  Unless
> someone has better alternatives for creating decent list passwords, I
> suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
> from mailman.  The Secure_MakeRandomPassword() code is in:
>
>     /usr/lib/mailman/Mailman/Utils.py
>
>  configs/mailman/fedora-mailing-list-setup       |    2 +-
>  modules/mailman/files/fedora-mailing-list-setup |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/configs/mailman/fedora-mailing-list-setup 
> b/configs/mailman/fedora-mailing-list-setup
> index 8ccdda7..80b2c58 100755
> --- a/configs/mailman/fedora-mailing-list-setup
> +++ b/configs/mailman/fedora-mailing-list-setup
> @@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
>      host_name = mm_cfg.DEFAULT_EMAIL_HOST
>      web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
>
> -    listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
> +    listpasswd = 
> Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
>
>      mlist = MailList.MailList()
>      try:
> diff --git a/modules/mailman/files/fedora-mailing-list-setup 
> b/modules/mailman/files/fedora-mailing-list-setup
> index 7d5dcd3..bf10b81 100755
> --- a/modules/mailman/files/fedora-mailing-list-setup
> +++ b/modules/mailman/files/fedora-mailing-list-setup
> @@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
>      host_name = mm_cfg.DEFAULT_EMAIL_HOST
>      web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
>
> -    listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
> +    listpasswd = 
> Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
>
>      mlist = MailList.MailList()
>      try:
> --
> 1.6.4
>

I'm fine with this patch but I can't pretend I know that it's going to
work, my mailman foo is pretty weak.  But since the revert seems easy
enough.

+1

        -Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Reply via email to