Majordomo-Workers: Re: Is 'wh*ch' useful?

Majordomo-Workers
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	*Re: Is 'whch' useful?**
From:	Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date:	14 Oct 1997 13:29:44 -0500
To:	majordomo-workers @ greatcircle . com
In-reply-to:	Norbert Bollow's message of Tue, 14 Oct 1997 10:05:29 +0200
References:	<199710140805.KAA28199@pythagoras>

>>>>> "NB" == Norbert Bollow <nb@pobox.com> writes:

NB> 'Which' is very useful and dangerous at the same time. Regardless of
NB> what you do about the dangers, there should be a convenient way for
NB> list-owners to use 'which' on the set of lists for which they're
NB> allowed to add and remove subscr*bers (regardless of whether the lists
NB> are advertised or not).

I intend to make the 'who' command take a string or regex to match, since
you can do that anyway with grep.  Even list owners cannot override the
global maximum match limit for 'which', because that requires global
permissions.  'which' also has no provision to limit the lists that are
searched.

NB> Something like 'which @aol.com' needs to be disallowed, too.

How?  Prevent matches where '@' is the first character?

NB> 1. 'which' displays matches for lists which are nonadvertised or
NB> SENSITIVE if and only if the which request comes from the e-mail
NB> interface and the matched e-mail address is equal to the e-mail address
NB> of the requestor.

No extra security at all; I can trivially forge my address.  I suppose
there is some additional security with the email interface only, since you
won't see the results unless you give a proper address.  The other
interfaces have no such restriction.

NB> or b) the requestor has list-owner priveleges for this nonadvertised
NB> list.

Permissions are not bound to addresses, they are bound to passwords, so
you're saying that the password overrides the restriction?  No, the only
permissions that 'which' looks at are global permissions, because it is a
global action.

NB> 2. 'which' displays matches for advertised NON-SENSITIVE lists if and
NB> only if it is an exact match ('which nb@pobox.com' should always show
NB> all NON-SENSITIVE advertised lists on which I am subscribed even if I'm
NB> sending the request from another e-mail address and if there's a lot of
NB> subscribers like xxxnb@pobox.com, yyynb@pobox.com, zzznb@pobox.com or
NB> b) the which request does not match more than two addresses on any
NB> single list on this server or c) the requestor has list-owner
NB> priveleges for this advertised list.

This seems needlessly complicated.  I still can't figure out all of the
semantics you're trying to define here.

NB> If there were matches which Majordomo does not show for security
NB> reasons, it should output something like:

No, that gives out sensitive information.  If there are things that are
hidden, you want them to remain hidden and not spray things like "hack
harder; there are still things that you can't see" all over the place.

 - J<

Follow-Ups:

Re: Is 'wh*ch' useful?
From: Norbert Bollow <nb@pobox.com>
Re: Is 'wh*ch' useful?
From: Brock Rozen <brozen@torah.org>

References:

Re: Is 'wh*ch' useful?
From: Norbert Bollow <nb@pobox.com>

Indexed By Date	Previous:	*Re: Is 'whch' useful?** From: Kynn Bartlett <kynn@idyllmtn.com>
Indexed By Date	Next:	*Re: Is 'whch' useful?** From: Chuq Von Rospach <chuqui@plaidworks.com>
Indexed By Thread	Previous:	*Re: Is 'whch' useful?** From: Norbert Bollow <nb@pobox.com>
Indexed By Thread	Next:	*Re: Is 'whch' useful?** From: Brock Rozen <brozen@torah.org>