This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f]. ---
The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review.
The current fedora-mailing-list-setup script creates a list password using:
file('/dev/urandom', 'r').read(4).encode('hex')
This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in:
/usr/lib/mailman/Mailman/Utils.py
configs/mailman/fedora-mailing-list-setup | 2 +- modules/mailman/files/fedora-mailing-list-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
- listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList() try: diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
- listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList() try:
On Fri, 21 Aug 2009, Todd Zullinger wrote:
This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f].
The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review.
The current fedora-mailing-list-setup script creates a list password using:
file('/dev/urandom', 'r').read(4).encode('hex')This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in:
/usr/lib/mailman/Mailman/Utils.pyconfigs/mailman/fedora-mailing-list-setup | 2 +- modules/mailman/files/fedora-mailing-list-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
- listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList() try:
diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
- listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList() try:
-- 1.6.4
I'm fine with this patch but I can't pretend I know that it's going to work, my mailman foo is pretty weak. But since the revert seems easy enough.
+1
-Mike
Mike McGrath wrote:
I'm fine with this patch but I can't pretend I know that it's going to work, my mailman foo is pretty weak. But since the revert seems easy enough.
+1
Thanks. There are a few hosted requests with lists, so I'll apply it and use those to verify that it works. I might not get to those tonight though, so I'll hold off pushing this until I'm ready to test it, lest it does cause some unforeseen problem and I'm not around to fix it and take my drubbing.
On 2009-08-21 05:51:23 PM, Todd Zullinger wrote:
This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f].
The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review.
The current fedora-mailing-list-setup script creates a list password using:
file('/dev/urandom', 'r').read(4).encode('hex')This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in:
/usr/lib/mailman/Mailman/Utils.pyconfigs/mailman/fedora-mailing-list-setup | 2 +- modules/mailman/files/fedora-mailing-list-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
- listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList() try:
diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
- listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
mlist = MailList.MailList() try:
-- 1.6.4
+1
Thanks, Ricky
infrastructure@lists.fedoraproject.org
-
Mike McGrath -
Ricky Zhou -
Todd Zullinger