[PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
This should generate a bit stronger passwords than the previous code,
which encoded the passwords as hex, limiting the characters in the
password to the set [0-9a-f].
---
The mailman_server class is only included on collab[12] and hosted1,
so it isn't actually affected by the current freeze policy. But I
still wanted to float this by the list for comments and review.
The current fedora-mailing-list-setup script creates a list password
using:
file('/dev/urandom', 'r').read(4).encode('hex')
This seems to be a good bit weaker than it needs to be. Unless
someone has better alternatives for creating decent list passwords, I
suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
from mailman. The Secure_MakeRandomPassword() code is in:
/usr/lib/mailman/Mailman/Utils.py
configs/mailman/fedora-mailing-list-setup |2 +-
modules/mailman/files/fedora-mailing-list-setup |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configs/mailman/fedora-mailing-list-setup
b/configs/mailman/fedora-mailing-list-setup
index 8ccdda7..80b2c58 100755
--- a/configs/mailman/fedora-mailing-list-setup
+++ b/configs/mailman/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
host_name = mm_cfg.DEFAULT_EMAIL_HOST
web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
-listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList()
try:
diff --git a/modules/mailman/files/fedora-mailing-list-setup
b/modules/mailman/files/fedora-mailing-list-setup
index 7d5dcd3..bf10b81 100755
--- a/modules/mailman/files/fedora-mailing-list-setup
+++ b/modules/mailman/files/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
host_name = mm_cfg.DEFAULT_EMAIL_HOST
web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
-listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList()
try:
--
1.6.4
--
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
We waste more time by 8:00 in the morning than other companies do all
day.
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
On Fri, 21 Aug 2009, Todd Zullinger wrote:
This should generate a bit stronger passwords than the previous code,
which encoded the passwords as hex, limiting the characters in the
password to the set [0-9a-f].
---
The mailman_server class is only included on collab[12] and hosted1,
so it isn't actually affected by the current freeze policy. But I
still wanted to float this by the list for comments and review.
The current fedora-mailing-list-setup script creates a list password
using:
file('/dev/urandom', 'r').read(4).encode('hex')
This seems to be a good bit weaker than it needs to be. Unless
someone has better alternatives for creating decent list passwords, I
suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
from mailman. The Secure_MakeRandomPassword() code is in:
/usr/lib/mailman/Mailman/Utils.py
configs/mailman/fedora-mailing-list-setup |2 +-
modules/mailman/files/fedora-mailing-list-setup |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configs/mailman/fedora-mailing-list-setup
b/configs/mailman/fedora-mailing-list-setup
index 8ccdda7..80b2c58 100755
--- a/configs/mailman/fedora-mailing-list-setup
+++ b/configs/mailman/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
host_name = mm_cfg.DEFAULT_EMAIL_HOST
web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
-listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+listpasswd =
Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList()
try:
diff --git a/modules/mailman/files/fedora-mailing-list-setup
b/modules/mailman/files/fedora-mailing-list-setup
index 7d5dcd3..bf10b81 100755
--- a/modules/mailman/files/fedora-mailing-list-setup
+++ b/modules/mailman/files/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
host_name = mm_cfg.DEFAULT_EMAIL_HOST
web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
-listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+listpasswd =
Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList()
try:
--
1.6.4
I'm fine with this patch but I can't pretend I know that it's going to
work, my mailman foo is pretty weak. But since the revert seems easy
enough.
+1
-Mike
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
Mike McGrath wrote: I'm fine with this patch but I can't pretend I know that it's going to work, my mailman foo is pretty weak. But since the revert seems easy enough. +1 Thanks. There are a few hosted requests with lists, so I'll apply it and use those to verify that it works. I might not get to those tonight though, so I'll hold off pushing this until I'm ready to test it, lest it does cause some unforeseen problem and I'm not around to fix it and take my drubbing. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Nothing is so permanent as a temporary government program. -- Dr. Milton Friedman, Nobel-Prize-winning economist. pgpTqsF2Yt4nb.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: [PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
On 2009-08-21 05:51:23 PM, Todd Zullinger wrote:
This should generate a bit stronger passwords than the previous code,
which encoded the passwords as hex, limiting the characters in the
password to the set [0-9a-f].
---
The mailman_server class is only included on collab[12] and hosted1,
so it isn't actually affected by the current freeze policy. But I
still wanted to float this by the list for comments and review.
The current fedora-mailing-list-setup script creates a list password
using:
file('/dev/urandom', 'r').read(4).encode('hex')
This seems to be a good bit weaker than it needs to be. Unless
someone has better alternatives for creating decent list passwords, I
suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
from mailman. The Secure_MakeRandomPassword() code is in:
/usr/lib/mailman/Mailman/Utils.py
configs/mailman/fedora-mailing-list-setup |2 +-
modules/mailman/files/fedora-mailing-list-setup |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configs/mailman/fedora-mailing-list-setup
b/configs/mailman/fedora-mailing-list-setup
index 8ccdda7..80b2c58 100755
--- a/configs/mailman/fedora-mailing-list-setup
+++ b/configs/mailman/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
host_name = mm_cfg.DEFAULT_EMAIL_HOST
web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
-listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+listpasswd =
Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList()
try:
diff --git a/modules/mailman/files/fedora-mailing-list-setup
b/modules/mailman/files/fedora-mailing-list-setup
index 7d5dcd3..bf10b81 100755
--- a/modules/mailman/files/fedora-mailing-list-setup
+++ b/modules/mailman/files/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
host_name = mm_cfg.DEFAULT_EMAIL_HOST
web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
-listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+listpasswd =
Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList()
try:
--
1.6.4
+1
Thanks,
Ricky
pgp13HptWUkPs.pgp
Description: PGP signature
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
