Equivalent of listadmin Perl script for Mailman 3?
Hi
We're preparing to migrate about 4 Mailman 2 servers to Mailman 3. In doing so, one of our list administrators has informed us that he uses "listadmin" (Petter Reinholdtsen: listadmin, the quick way to moderate mailman lists - nice free software (skolelinux.org) <http://people.skolelinux.org/pere/blog/listadmin__the_quick_way_to_moderate_mailman_lists___nice_free_software.html> )
Does anyone know if there is an equivalent tool that works with Mailman 3?
Thank you.
Regards
Philip
On 11/16/21 11:48 PM, Philip Colmer wrote:
Hi
We're preparing to migrate about 4 Mailman 2 servers to Mailman 3. In doing so, one of our list administrators has informed us that he uses "listadmin" (Petter Reinholdtsen: listadmin, the quick way to moderate mailman lists - nice free software (skolelinux.org) <http://people.skolelinux.org/pere/blog/listadmin__the_quick_way_to_moderate_mailman_lists___nice_free_software.html> )
Does anyone know if there is an equivalent tool that works with Mailman 3?
I'm not aware of any, but others might be (I wasn't aware of listadmin
before reading this post).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Philip Colmer writes:
We're preparing to migrate about 4 Mailman 2 servers to Mailman 3. In doing so, one of our list administrators has informed us that he uses "listadmin"
Does anyone know if there is an equivalent tool that works with Mailman 3?
I don't know of one, but perhaps someone does.
It probably wouldn't be hard to write a bare-bones workalike if the admin has shell access to the mailman host. UIn theory, shell access could be restricted to running the tool by using a 'command' option in the sshd authorized_keys file for the user's key. But I'm not competent to judge how secure that could be in principle, and of course if the tool is buggy in certain ways, all bets are off.)
I can't estimate how hard it would be to write one without shell access, as I'm not sure how amenable the Postorius web UI is to scripting.
Steve
On Fri, 19 Nov 2021 at 09:13, Stephen J. Turnbull < stephenjturnbull@gmail.com> wrote:
It probably wouldn't be hard to write a bare-bones workalike if the admin has shell access to the mailman host.
I was hoping that I could write an alternative using the REST API, but I'd overlooked the fact that there is a single username and password protecting the API.
Unfortunately, even trying to solve this via shell access would have a similar problem because I can't see how one person running the command can be restricted to just the lists they administer.
Oh well ... maybe something for the project to consider as an improvement in the future, particularly for the REST API.
Philip
Philip Colmer writes:
On Fri, 19 Nov 2021 at 09:13, Stephen J. Turnbull < stephenjturnbull@gmail.com> wrote:
It probably wouldn't be hard to write a bare-bones workalike if the admin has shell access to the mailman host.
I was hoping that I could write an alternative using the REST API, but I'd overlooked the fact that there is a single username and password protecting the API.
Correct. That's why I suggested ssh's command= parameter in authorized_keys.
Unfortunately, even trying to solve this via shell access would have a similar problem because I can't see how one person running the command can be restricted to just the lists they administer.
You could create a system user per list admin, make authorized_keys for each user owned by somebody else (root or list or domain_admin, maybe?), and put command=list_admin.py as an option. Alternatively, it must be possible to determine which public key was authorized (sorry, not that familiar with sshd), and register that with list_admin.py, which would live in a single list_admin account. Either way, list_admin.py would manage authz permissions based on the authn data, including access to lists and which REST (or mailmanclient) APIs are allowed.
This stuff is not easy to do really well, but if you are mostly worried about accidental damage or kids-will-be-kids mischief rather than actively malicious admins, could be good enough.
Oh well ... maybe something for the project to consider as an improvement in the future, particularly for the REST API.
There's a project called "lemme" which is a proof-of-concept program to put some authn/authz in front of the REST API. I was never involved, so I don't know if it got any farther than a PoC. It was a few years ago.
participants (3)
-
Mark Sapiro -
Philip Colmer -
Stephen J. Turnbull