[PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords

Todd Zullinger tmz at pobox.com
Fri Aug 21 21:51:23 UTC 2009


This should generate a bit stronger passwords than the previous code,
which encoded the passwords as hex, limiting the characters in the
password to the set [0-9a-f].
---

The mailman_server class is only included on collab[12] and hosted1,
so it isn't actually affected by the current freeze policy.  But I
still wanted to float this by the list for comments and review.

The current fedora-mailing-list-setup script creates a list password
using:

    file('/dev/urandom', 'r').read(4).encode('hex')

This seems to be a good bit weaker than it needs to be.  Unless
someone has better alternatives for creating decent list passwords, I
suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
from mailman.  The Secure_MakeRandomPassword() code is in:

    /usr/lib/mailman/Mailman/Utils.py

 configs/mailman/fedora-mailing-list-setup       |    2 +-
 modules/mailman/files/fedora-mailing-list-setup |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup
index 8ccdda7..80b2c58 100755
--- a/configs/mailman/fedora-mailing-list-setup
+++ b/configs/mailman/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
     host_name = mm_cfg.DEFAULT_EMAIL_HOST
     web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
 
-    listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+    listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
     
     mlist = MailList.MailList()
     try:
diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup
index 7d5dcd3..bf10b81 100755
--- a/modules/mailman/files/fedora-mailing-list-setup
+++ b/modules/mailman/files/fedora-mailing-list-setup
@@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
     host_name = mm_cfg.DEFAULT_EMAIL_HOST
     web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
 
-    listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
+    listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
 
     mlist = MailList.MailList()
     try:
-- 
1.6.4



-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We waste more time by 8:00 in the morning than other companies do all
day.




More information about the Fedora-infrastructure-list mailing list