Patrick Bogen wrote: >On 3/21/07, Jennifer Oxelson <[EMAIL PROTECTED]> wrote: >> The issue is I can send the 'who' email command with the admin password >> from /*any*/ email address (not even subscribed) and get the roster... >> is this right? Wouldn't it be better if the 'who' command only worked >> for email addresses corresponding to list admins/moderators when the >> list roster is configured to be only available to these privileged >> users? (Or am I being overly paranoid?) > >Checking the email address would only add a sense of security, not any >real security. Email addresses are *easily* forged. Trivially forged, >even. > >So, this might actually even be a bad thing, since it will give a >false sense of security while actually adding none.
Patrick is correct, but the real issue here is that by definition a Mailman list admin or moderator is anyone who knows the respective password. Thus, by providing the password, you have identified yourself as a list admin regardless of your email address (or the address you want the list sent to). See FAQ's <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.060.htp> and <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.027.htp>. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
