Re: [Mailman-Users] sharing administrator passwords
On May 26, 2008, at 1:59 AM, Laura Creighton wrote: So what people _want_ is a way to log in with a password and then have mailman recognise them and make it possible for them to administer all the lists they run. I agree. And I look forward to something like this in Mailman 3, but for the time being I am going to preach: Rant Every system administrator or knowledgeable person should be trying to persuade people to use good password management systems so that they don't have to remember most passwords. For Windows, I recommend Password Safe and for OS X, I recommend 1Password. Users of other systems are probably already using password management systems. pwsafe will maintain compatible databases with Password Safe. So, I would take the current poor situation with mailman's failure to distinguish between authorization and authentication as an opportunity to educate people about password management systems. /Rant Cheers, -j -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
On 5/28/2008, Brad Knowles ([EMAIL PROTECTED]) wrote: From /usr/local/mailman/Mailman/Defaults.py: # Normally when a site administrator authenticates to a web page with the site # password, they get a cookie which authorizes them as the list admin. It # makes me nervous to hand out site auth cookies because if this cookie is # cracked or intercepted, the intruder will have access to every list on the # site. OTOH, it's dang handy to not have to re-authenticate to every list on # the site. Set this value to Yes to allow site admin cookies. ALLOW_SITE_ADMIN_COOKIES = No Sorry, guess I should have looked a little closer... but thanks... I made the change and restarted mailman, and still have to log into each list, so I'm guessing this only applies to new lists? I'll have to run a command to make it apply to existing lists? -- Best regards, Charles -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
On 5/29/08 6:23 AM, Charles Marcus at [EMAIL PROTECTED] wrote: On 5/28/2008, Brad Knowles ([EMAIL PROTECTED]) wrote: From /usr/local/mailman/Mailman/Defaults.py: # Normally when a site administrator authenticates to a web page with the site # password, they get a cookie which authorizes them as the list admin. It # makes me nervous to hand out site auth cookies because if this cookie is # cracked or intercepted, the intruder will have access to every list on the # site. OTOH, it's dang handy to not have to re-authenticate to every list on # the site. Set this value to Yes to allow site admin cookies. ALLOW_SITE_ADMIN_COOKIES = No Sorry, guess I should have looked a little closer... but thanks... I made the change and restarted mailman, and still have to log into each list, so I'm guessing this only applies to new lists? I'll have to run a command to make it apply to existing lists? Is your site password the same as the list admin passwords? My playing around with the feature says the site admin password must be different from the list admin password. Otherwise, it will be authenticated as the list password, not the site password, and you'll need to log into the other lists. -- Larry Stone [EMAIL PROTECTED] http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
On 5/28/08 5:22 AM, Charles Marcus at [EMAIL PROTECTED] wrote: On 5/27/2008, Brad Knowles ([EMAIL PROTECTED]) wrote: The site admin password can be used to administer any list on the system. If you turn on the appropriate option in the mm_cfg.py file, you can even set it up so that you log into one list with the site admin password and you don't even have to provide a password to log into any of the other lists -- the cookie set by the first password login will be recognized by all the other lists. Wow, that would come in useful for me... what option is that? ALLOWS_SITE_ADMIN_COOKIES. Set it to Yes in mm_cfg.py. From my empirical testing, the site admin password must be different than the list admin password (as a sole administrator for my system, I had them the same). If they're the same, it appears Mailman determines it to be the list password and never gets to the site password test and there never sets the site admin cookie. -- Larry Stone [EMAIL PROTECTED] http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
On 5/27/2008, Brad Knowles ([EMAIL PROTECTED]) wrote: The site admin password can be used to administer any list on the system. If you turn on the appropriate option in the mm_cfg.py file, you can even set it up so that you log into one list with the site admin password and you don't even have to provide a password to log into any of the other lists -- the cookie set by the first password login will be recognized by all the other lists. Wow, that would come in useful for me... what option is that? -- Best regards, Charles -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
Charles Marcus wrote: Wow, that would come in useful for me... what option is that? From /usr/local/mailman/Mailman/Defaults.py: # Normally when a site administrator authenticates to a web page with the site # password, they get a cookie which authorizes them as the list admin. It # makes me nervous to hand out site auth cookies because if this cookie is # cracked or intercepted, the intruder will have access to every list on the # site. OTOH, it's dang handy to not have to re-authenticate to every list on # the site. Set this value to Yes to allow site admin cookies. ALLOW_SITE_ADMIN_COOKIES = No -- Brad Knowles [EMAIL PROTECTED] Member of the Python.org Postmaster Team Co-Moderator of the mailman-users and mailman-developers mailing lists -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
Laura Creighton wrote: Any idea when Mailman 3 is coming? So far as I know, no official schedule has been announced. There has been an announcement of a pre-alpha version that Mailman developers can take a look at and see what might ultimately arrive, but if you're not a Mailman developer who's hacking on the code then this won't help you. Keep an eye on the Mailman3 section of the wiki, and look for announcements to the appropriate mailman-* mailing lists. -- Brad Knowles [EMAIL PROTECTED] LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] sharing administrator passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On May 27, 2008, at 3:31 PM, Brad Knowles wrote: So far as I know, no official schedule has been announced. There has been an announcement of a pre-alpha version that Mailman developers can take a look at and see what might ultimately arrive, but if you're not a Mailman developer who's hacking on the code then this won't help you. Keep an eye on the Mailman3 section of the wiki, and look for announcements to the appropriate mailman-* mailing lists. MM 3.0alpha1 was released. I encourage and welcom everyone who wants to help get MM3 closer to reality to check out the code, bang on it, and join mailman-developers. - -Barry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkg8buIACgkQ2YZpQepbvXHPWwCeOu9fxhqrqPtXqcvQ+WABmUZy d9YAoKJugPkymUTrfkmQUyZdhROQjZWx =qEMg -END PGP SIGNATURE- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp