[PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
Mike McGrath
mmcgrath at redhat.com
Fri Aug 21 21:53:14 UTC 2009
On Fri, 21 Aug 2009, Todd Zullinger wrote:
> This should generate a bit stronger passwords than the previous code,
> which encoded the passwords as hex, limiting the characters in the
> password to the set [0-9a-f].
> ---
>
> The mailman_server class is only included on collab[12] and hosted1,
> so it isn't actually affected by the current freeze policy. But I
> still wanted to float this by the list for comments and review.
>
> The current fedora-mailing-list-setup script creates a list password
> using:
>
> file('/dev/urandom', 'r').read(4).encode('hex')
>
> This seems to be a good bit weaker than it needs to be. Unless
> someone has better alternatives for creating decent list passwords, I
> suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
> from mailman. The Secure_MakeRandomPassword() code is in:
>
> /usr/lib/mailman/Mailman/Utils.py
>
> configs/mailman/fedora-mailing-list-setup | 2 +-
> modules/mailman/files/fedora-mailing-list-setup | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup
> index 8ccdda7..80b2c58 100755
> --- a/configs/mailman/fedora-mailing-list-setup
> +++ b/configs/mailman/fedora-mailing-list-setup
> @@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
> host_name = mm_cfg.DEFAULT_EMAIL_HOST
> web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
>
> - listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
> + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
>
> mlist = MailList.MailList()
> try:
> diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup
> index 7d5dcd3..bf10b81 100755
> --- a/modules/mailman/files/fedora-mailing-list-setup
> +++ b/modules/mailman/files/fedora-mailing-list-setup
> @@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
> host_name = mm_cfg.DEFAULT_EMAIL_HOST
> web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
>
> - listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
> + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
>
> mlist = MailList.MailList()
> try:
> --
> 1.6.4
>
I'm fine with this patch but I can't pretend I know that it's going to
work, my mailman foo is pretty weak. But since the revert seems easy
enough.
+1
-Mike
More information about the infrastructure
mailing list