> NB> 1. 'which' displays matches for lists which are nonadvertised or
> NB> SENSITIVE if and only if the which request comes from the e-mail
> NB> interface and the matched e-mail address is equal to the e-mail address
> NB> of the requestor.
>
> No extra security at all; I can trivially forge my address. I suppose
> there is some additional security with the email interface only, since you
> won't see the results unless you give a proper address. The other
> interfaces have no such restriction.
I disagree. I'm thinking of lists which are support groups; for example
consider a list 'howtogetoutofdebt', and suppose that I'm subscribed that
list with one of the zillions of e-mail addresses which all forward to my
mailbox, I can't remember which, and also I don't want anyone to know that
I'm in debt or that I'm subscribed to the 'howtogetoutofdebt' list.
It should be possible without list-owner intervention to find out by which
address I am subscribed, but nobody who doesn't have list-owner privileges
for the 'howtogetoutofdebt' list should be allowed to find out whether I'm
subscribed to that list or not.
The suggestion above allows *me* (and only me) to find out by which address
I'm subscribed, without allowing anyone else to get at that sensitive
information (unless they can snoop on my mail, in which case they know to
which lists I subscribe anyway.)
> NB> or b) the requestor has list-owner priveleges for this nonadvertised
> NB> list.
>
> Permissions are not bound to addresses, they are bound to passwords, so
> you're saying that the password overrides the restriction? No, the only
> permissions that 'which' looks at are global permissions, because it is a
> global action.
I was thinking of a list-server with MANY lists, and I'm list-owner for say
twenty lists. I'd like to be able to able to find out to which of my lists
a certain address is subscribed. I don't care whether I get full or partial
or no information about the lists which are not mine, but I'd like to get
full information for my lists even if some of them are non-advertised. Of
course this action must require a password. I have hacked this into 1.94.nb
so that 'approve PASSWORD which PATTERN' approves the 'which' in the sense
of overriding settings of 'which_access=closed' on all lists for which the
password is valid.
> This seems needlessly complicated. I still can't figure out all of the
> semantics you're trying to define here.
Show me a less complicated approach that still offers all of the essential
functionality :-)
> NB> If there were matches which Majordomo does not show for security
> NB> reasons, it should output something like:
>
> No, that gives out sensitive information. If there are things that are
> hidden, you want them to remain hidden and not spray things like "hack
> harder; there are still things that you can't see" all over the place.
Good point. I'll be much better to ALWAYS print something like "Due to
reasons of security and privacy protection, 'which' commands will not always
reveal all available information. Here is how you can reliably find out to
to which lists you are subscribed with each of your e-mail addresses: ...."
- Norbert.
References:
|
|
