At 7:30 AM -0400 4/15/02, Roger Burton West is rumored to have typed:
In the absence of a truly cryptographically secured system - such as connecting to the list server with SSH - I fear this is the best that can be done.
Er...with sincere apologies to Werner and Roger, I'm a little bewildered by all of this. It's cool and all, but if a mailing list _needs_ to be truly secure (I'm not sure I quite understand _why,_ since it's...well...just a mailing list), then X-Commands should be shut down completely and all maintenance can easily be done through an SSH shell. (Don't have SSH? Install it NOW. Can't install because you don't root the box? How secure do you think ANY of your stuff is?) Although I'd maintain that SmartList isn't really designed to protect its data to the same level that one would (should, anyway) protect credit card information, anyway, so I'm not sure even _that_ argument is moot...look at the number of times setting up web-based X-Command interfaces comes up on this list because the "newbies" can't figure out the proper format for the command, let alone placing it on the first line of a non-multipart message so SmartList can append it to the header. Wrap a web interface on a secure web page and drop X-Commands that don't come from localhost and you've got a reasonably "secure" X-Command system without rotating passwords or list keysets. I took a somewhat different approach to a different "problem." I didn't much like the Approval: system for moderated lists (this is way back in the days before the moderator_PASSWORD var, understand), so thanks to open-source I hacked a mildly different one that uses a password in the Subject: header field for those lists which are moderated. It is NOT "secure," it's just different enough that someone familiar with SmartList who didn't crack my server or sniff right outside it couldn't easily approve a message (rc.local.s00 contains a recipe that drops any Approved: headers straighaway - and if they crack my server, I have bigger problems than the mailing lists!). But I didn't do it to "securely" protect the list, rather to make it less trivial for a user to get around me...anyone who wanted to spend a lot of time and energy could certainly get past it, and probably root the box as well no matter how hard I try to keep up with updates and patches. But why in heavens name _would_ anyone spend that amount of time just so they could post a message? It's a matter of cost/benefit. Someone could spend a lot of time and energy sniffing outside my server, to get...what? An X-Command password? So they could do...what? Manually subscribe people? Isn't it easier to find a China open relay to annoy people? Again, I'm not exactly sure what problem this is attempting to solve. Heck, a lot of the lists discussed here are on shared machines anyway - secure the X-Command, but screw the file permissions and allow everyone else on the machine (and in some cases I've seen, _off_ the machine with a web browser if you know its path!) to read the dist list anyway? Charlie