Differences

This shows you the differences between two versions of the page.

--- build:lists [2009/03/25 08:59]
167.206.189.6
+++ build:lists [2018/05/28 02:48]
SLUUG Administration [Tell Apache to use password protection]
@@ Line 55: / Line 55: @@
-NOTE: MailMan requires at least Python 2.4. Debian 4.0 meets this requirement. Debian 3.1 did not, so we had to install Pyton 2.4 and use update-alternatives to make it the default version. Debian 3.1 also required installing libdb2.
+NOTE: MailMan requires at least Python 2.4. Debian 4.0 meets this requirement. Debian 3.1 did not, so we had to install Python 2.4 and use update-alternatives to make it the default version. Debian 3.1 also required installing libdb2.
@@ Line 68: / Line 68: @@
 =====Extract and Prepare Source=====
-The Debian Mailman package did not include search capibility. To enable search Mailman has to be compiled with htdig.  Extract the source file into /usr/local/src/mailman-2.1.9 and move the patch into that directory. gunzip the patch.
+The Debian Mailman package did not include search capability. To enable search Mailman has to be compiled with htdig.  Extract the source file into /usr/local/src/mailman-2.1.9 and move the patch into that directory. gunzip the patch.
 Disable most language support. This is an ugly hack to get around a problem with Japanese-language support in python on Debian Etch. Comment out the following line in messages/Makefile.in:
@@ Line 151: / Line 151: @@
 ====Tell Apache to use password protection====
-Edit /etc/apache2/sites-available/000-www.sluug.org and add a new directory section, filling in the directory where the archive is stored, the name of the list for the AuthName, and the file with the password.
+Edit /etc/apache2/sites-available/000-www.sluug.org and <del>add a new directory section</del>, filling in the directory where the archive is stored, the name of the list for the AuthName, and the file with the password.
 <code root>
         # Define password protection for this list's archives
@@ Line 163: / Line 163: @@
 </code>
+===Security holes===
+In 2018, on amber, it was found there were two major holes that allowed bots
+to access all mailing list contents:
+  - Each archived posting has two URLs, ''/pipermail/'' and  ''/mailman/htdig/'', however only the first is protected.
+  - The sluug.org and stlwebdev.org archives are defined in separate config files, and only protect the lists defined in each, but all lists are accessible through either domain.
+Therefore, the above ''<Directory>'' sections were replaced with
+''<LocationMatch>'' sections that first denied all access to the two URLs,
+then allowed password protected access to to selected lists available through
+that domain.  Also unlimited access to two lists used for announcements.
+Any list not overridden by a subsequent section will be blocked by the
+first global section.
+Using wildcards allowed protecting both URL paths without duplicating all the
+password statements.
+<code>
+    # Heavy use of symbolic links in Mailman configuration
+    <Directory /usr/local/mailman/archives/public>
+        Options FollowSymlinks
+    </Directory>
+    # Block all access to other lists' archives
+    # Alternate path to same files via htdig search results
+    <LocationMatch "^(/mailman/htdig|/pipermail)">
+        Order allow,deny
+        Deny from all
+    </LocationMatch>
+    # Define password protection for this list's archives
+    # For all these lists: discuss steercom jobs test*
+    # Alternate path to same files via htdig search results
+    <LocationMatch "^(/mailman/htdig/(discuss|steercom|jobs|test)|/pipermail/(discuss|steercom|jobs|test))">
+        Allow from all
+        AuthType Basic
+        AuthName "SLUUG Discussion Archive Access"
+        AuthUserFile /etc/apache2/discuss-passwords
+        Require valid-user
+    </LocationMatch>
+    # Define password protection for this list's archives
+    # For sysadmin list only
+    # Alternate path to same files via htdig search results
+    <LocationMatch "^(/mailman/htdig/sysadmin|/pipermail/sysadmin)">
+        Allow from all
+        AuthType Basic
+        AuthName "SLUUG Sysadmin Archive Access"
+        AuthUserFile /etc/apache2/sysadmin-passwords
+        Require valid-user
+    </LocationMatch>
+    # No password protection for this list's archives
+    # For all these lists: announce users
+    # Alternate path to same files via htdig search results
+    <LocationMatch "^(/mailman/htdig/(announce|users)|/pipermail/(announce|users))">
+        Allow from all
+    </LocationMatch>
+</code>
+All common parts of the port 80 and port 443 ''<VirtualHost>'' definitions
+were moved to a common file to eliminate complete duplication.
+Make similar changes to the stlwebdev web site definition.
 ====Create the  password file====
 The name of the file matches the AuthUserFile configuration statement.  The username for the htpasswd command is whatever is used for that password file.  You will be prompted for the password by the htpasswd command.
@@ Line 230: / Line 293: @@
 </code>
+Edit ''crontab'' before or after installation to:
+  * Comment the ''gate_news'' entry.  We are not using any usenet gateway.
 =====Copy Apache Images to Mailman=====
 <code root>

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools