[PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f]. --- The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review. The current fedora-mailing-list-setup script creates a list password using: file('/dev/urandom', 'r').read(4).encode('hex') This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in: /usr/lib/mailman/Mailman/Utils.py configs/mailman/fedora-mailing-list-setup |2 +- modules/mailman/files/fedora-mailing-list-setup |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost -listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') +listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost -listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') +listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: -- 1.6.4 -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ We waste more time by 8:00 in the morning than other companies do all day. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
On Fri, 21 Aug 2009, Todd Zullinger wrote: This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f]. --- The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review. The current fedora-mailing-list-setup script creates a list password using: file('/dev/urandom', 'r').read(4).encode('hex') This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in: /usr/lib/mailman/Mailman/Utils.py configs/mailman/fedora-mailing-list-setup |2 +- modules/mailman/files/fedora-mailing-list-setup |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost -listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') +listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost -listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') +listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: -- 1.6.4 I'm fine with this patch but I can't pretend I know that it's going to work, my mailman foo is pretty weak. But since the revert seems easy enough. +1 -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
Mike McGrath wrote: I'm fine with this patch but I can't pretend I know that it's going to work, my mailman foo is pretty weak. But since the revert seems easy enough. +1 Thanks. There are a few hosted requests with lists, so I'll apply it and use those to verify that it works. I might not get to those tonight though, so I'll hold off pushing this until I'm ready to test it, lest it does cause some unforeseen problem and I'm not around to fix it and take my drubbing. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Nothing is so permanent as a temporary government program. -- Dr. Milton Friedman, Nobel-Prize-winning economist. pgpTqsF2Yt4nb.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
On 2009-08-21 05:51:23 PM, Todd Zullinger wrote: This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f]. --- The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review. The current fedora-mailing-list-setup script creates a list password using: file('/dev/urandom', 'r').read(4).encode('hex') This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in: /usr/lib/mailman/Mailman/Utils.py configs/mailman/fedora-mailing-list-setup |2 +- modules/mailman/files/fedora-mailing-list-setup |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost -listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') +listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost -listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') +listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: -- 1.6.4 +1 Thanks, Ricky pgp13HptWUkPs.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list