On Fri, 3 Apr 1998, Stuart Schmukler wrote:
> I maintain a list run on majordomo. Before I start hacking I'd like to
> find out if there is a patch that password protects the 'who' command?
First, there is a config option "who_access", if you set that
to closed, then you need the approve or admin password to do a who.
I STRONGLY recommend that you do this for all of your lists.
(See below for an account of what can happen if you don't)
You will also need to set the max_which variable in majordomo.cf (I'm
not certain that that is exactly what it is called, I'm don't
have immediate access to my majordomo set-up at the moment). This
will stop people from getting information using
which .
Finally, in order to stop yourself from forgetting to set who_access
closed for each and evey list, I recommend that you modify the majordomo
scripts so that who_access closed is the default.
For majordomo 1.94.3 this is in the file config which contains the
routines for writing and parsing list.config files. There is a table
which indicates the options for each config variable. You need to
change the "open" to "closed" in the 4th column if I recall.
It is very important that you do this. Of the 100 or so lists at
Cranfield.ac.uk about 10 inadvertantly had who access open. On March
10 someone did a who on all of our lists. A few weeks later we
had three extremely nasty trolls to all of the addresses harvested.
(the troller also hit warwick.ac.uk).
One annoying thing in 1.94.3 (maybe fixed in 1.94.4?) is that failled
who attempts are not logged. I would like all things that fail do
to access to be logged in an easily parsable way so that I can then
have another script that looks for these things in the logs and mails
to majordomo-owner on a daily basis.
-j
--
Jeffrey Goldberg +44 (0)1234 750 111 x 2826
Cranfield Computer Centre FAX 751 814
J.Goldberg@Cranfield.ac.uk http://WWW.Cranfield.ac.uk/public/cc/cc047/
Relativism is the triumph of authority over truth, convention over justice.
Follow-Ups:
References:
|
|
