On 14 Oct 1997, Jason L Tibbitts III wrote:
> I keep seeing comments to the effect that the which command is dangerous
> and that it compromises security and I'm wondering what I should do about
here's my take on it.
1) There *must* be some routine that lets a user check to see what lists
they're on, or to see if they might be under another variation of their
address (jdoe@mail.example.com as opposed to jdoe@example.com).
2) It is a security violation to the effect that is compromises the
subscription list. BUT there are solutions to this:
a) Maximum results per command -- it's already in majordomo and
while it may have bugs (I don't know if they're were taken out or not),
does it's job fairly well
b) Turn 'which' off -- again, already in majordomo
c) Limit 'which' to subscribers -- it's in there, but it's tricky.
What if somebody is using a variation, then how will the check work?
Really, it shouldn't if they're listed as something other than what
they're subscribed as.
d) Limit searches to part of the user's own address -- in other
words, I could only search for 'brozen' or 'torah.org' and nothing else.
Even the latter may be too much, but should be an option.
Of course, a global password should be able to override all of ths.
> *) Loop only over the lists that are advertised.
Not at all -- what if I'm on a hidden list? I certainly should have the
right to know what lists I'm on! Of course, if I'm not on the hidden list,
no mention of the search on it should be made in the results.
> Does this go far enough? Does this go too far and limit the usefulness of
> the command? (I'm worried about limiting it to only advertised lists.)
Yes, I think it does go too far. I think, without a doubt, a user should
be able to find what lists they're on if they enter their correct e-mail
address into the which command -- regardless of mj owner or list owner
settings.
But I am also of the opinion that if you don't fully remember the address
you originally put in, then we can start "penalizing" you for not saving
the subscription confirmations.
> Does anyone ever use the command on your server anyway? (My server gets a
Yes, a lot. Many are legitimate and I haven't had any widespread reports
of abuse. Even a 'which a' would only give about 30 results on our server,
because of the max which results. I know, they could do 'which ab', 'which
ac', etc etc.
If we wanted to really take care of the problem, we could limit the
results returned to a user in 24 hours and if they go over, notify mj
owner. Of course, they could just use another address. What if we just
quietly sent the request to the mj owner for approval w/o notifying the
user?
As I said, the mj owner should be able to restrict it if it isn't asking
for a fully qualified e-mail address.
> pretty good amount of legitimate which action, so I wouldn't want to take
> it away.) Is there anything else I can do to restrict 'bad' uses like
> sending 'which a' through 'which z'? Perhaps restrict the match to three
> characters or more (more for the regex match)?
You might want to make the minimum number of characters an option. I think
what you've mentioned is good, but only in certain circumstances.
-----------------------------------------------------------------
| Brock Rozen | brozen@torah.org | http://www.torah.org/~brozen |
-----------------------------------------------------------------
Follow-Ups:
References:
|
|
