Philip Colmer writes:
On Fri, 19 Nov 2021 at 09:13, Stephen J. Turnbull < stephenjturnbull@gmail.com> wrote:
It probably wouldn't be hard to write a bare-bones workalike if the admin has shell access to the mailman host.
I was hoping that I could write an alternative using the REST API, but I'd overlooked the fact that there is a single username and password protecting the API.
Correct. That's why I suggested ssh's command= parameter in authorized_keys.
Unfortunately, even trying to solve this via shell access would have a similar problem because I can't see how one person running the command can be restricted to just the lists they administer.
You could create a system user per list admin, make authorized_keys for each user owned by somebody else (root or list or domain_admin, maybe?), and put command=list_admin.py as an option. Alternatively, it must be possible to determine which public key was authorized (sorry, not that familiar with sshd), and register that with list_admin.py, which would live in a single list_admin account. Either way, list_admin.py would manage authz permissions based on the authn data, including access to lists and which REST (or mailmanclient) APIs are allowed.
This stuff is not easy to do really well, but if you are mostly worried about accidental damage or kids-will-be-kids mischief rather than actively malicious admins, could be good enough.
Oh well ... maybe something for the project to consider as an improvement in the future, particularly for the REST API.
There's a project called "lemme" which is a proof-of-concept program to put some authn/authz in front of the REST API. I was never involved, so I don't know if it got any farther than a PoC. It was a few years ago.