>>>>> "d" == dino <[EMAIL PROTECTED]> writes:
d> I was just wondering what kind of security mailman offers, as
d> far as protecting user passwords goes?
User passwords are considered a lower value asset, so while it should
not be possible for unauthorized users or list admins to get them,
they can still be transmitted in the clear (either via the monthly
reminders -- which can be turned off, or by unprotected http login).
To support the monthly reminders, user passwords are kept in the
database in cleartext. Anyone with shell access and permissions to
the Mailman installation can get them.
d> A techy friend of mine has just kindly emailed me a list of all
d> users and their passwords! Looking at my server logs it would
d> appear that he snuck in somehow via anonymous ftp.
This must have been a local system vulnerability. Mailman doesn't use
ftp, anonymous or otherwise.
d> Would closing the anon. ftp service stop mailman working in
d> anyway, or dya reckon he got in some place else?
On your system, sure, if that's how he got in. But this isn't an
attack inherent to Mailman, AFAIK.
-Barry
------------------------------------------------------
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
