[PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords

Ricky Zhou ricky at fedoraproject.org
Fri Aug 21 22:10:30 UTC 2009 

On 2009-08-21 05:51:23 PM, Todd Zullinger wrote:
> This should generate a bit stronger passwords than the previous code,
> which encoded the passwords as hex, limiting the characters in the
> password to the set [0-9a-f].
> ---
> 
> The mailman_server class is only included on collab[12] and hosted1,
> so it isn't actually affected by the current freeze policy.  But I
> still wanted to float this by the list for comments and review.
> 
> The current fedora-mailing-list-setup script creates a list password
> using:
> 
>     file('/dev/urandom', 'r').read(4).encode('hex')
> 
> This seems to be a good bit weaker than it needs to be.  Unless
> someone has better alternatives for creating decent list passwords, I
> suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword()
> from mailman.  The Secure_MakeRandomPassword() code is in:
> 
>     /usr/lib/mailman/Mailman/Utils.py
> 
>  configs/mailman/fedora-mailing-list-setup       |    2 +-
>  modules/mailman/files/fedora-mailing-list-setup |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup
> index 8ccdda7..80b2c58 100755
> --- a/configs/mailman/fedora-mailing-list-setup
> +++ b/configs/mailman/fedora-mailing-list-setup
> @@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
>      host_name = mm_cfg.DEFAULT_EMAIL_HOST
>      web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
>  
> -    listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
> +    listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
>      
>      mlist = MailList.MailList()
>      try:
> diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup
> index 7d5dcd3..bf10b81 100755
> --- a/modules/mailman/files/fedora-mailing-list-setup
> +++ b/modules/mailman/files/fedora-mailing-list-setup
> @@ -62,7 +62,7 @@ def create_list(listname, owner_mail):
>      host_name = mm_cfg.DEFAULT_EMAIL_HOST
>      web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost
>  
> -    listpasswd = file('/dev/urandom', 'r').read(4).encode('hex')
> +    listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH)
>  
>      mlist = MailList.MailList()
>      try:
> -- 
> 1.6.4
+1

Thanks,
Ricky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090821/2f0e172c/attachment.sig>

More information about the Fedora-infrastructure-list mailing list