link to content
Essentials at NC State Home
Help | ResNet | Computing@NC State | For OIT Staff | Publications | Search NC State | Feedback
your unity account
antivirus & security
email & messaging
 » Email
    » Introduction
    » Email services
    » Campus address
    » Webmail
      » Log in to Webmail
      » Webmail tutorial
      » Deleting messages
         when email space
         (quota) is full
      » Archiving Webmail
    » Other IMAP
       email programs
    » Storage space
    » Spam, viruses &
       other threats
    » Campus Directory
 » Instant Messaging
 » Web conferencing
connections & labs
your computer
software@nc state
files
web pages
education & training
publications
other resources
troubleshooting
ITD Sections

Home » Email & Messaging » List Services » Majordomo2 Admin Passwords
Majordomo2 Logo

Majordomo2 Admin Passwords

The Majordomo2 system implements most of its security through the use of passwords. Providing a password causes the system to bypass the normal access checks; if the password is valid and carries the proper authorizations, the action will be carried out. This enables a list owner to administer the list from various addresses and to give others administration duties simply by giving out passwords.

There are various overlapping classes of passwords:

Global passwords These passwords are authorized to perform actions on all lists at a site.
List passwords These can affect only a single list.
Master passwords These are authorized to perform any action on the list. The global master password is allowed to perform every action on every list.
Subsidiary passwords The list owner (actually anyone who has the list's master password or the global master password) can create an unlimited number of passwords and authorize each to do different things.
User passwords A unique password is given to each user at registration time which can be used to verify identity without the usual confirmations. The only purpose of these passwords is to bypass the confirmation process; when a confirmation token is to be generated, this passwords is checked. If valid, the operation will continue as if it had been confirmed. This grants no additional access priviliges.

The concept of subsidiary passwords is powerful. One (or, perhaps, more than one) password can be authorized to perform subscriptions while another can bypass access restrictions on posting messages. Passwords can be authorized to do more than one thing, or to do anything except see or change any of the password. (Only the master passwords are authorized to do that.)

In addition, subsidiary passwords can be bound to email addresses. This is not intended to give a large amount of additional security; email can be forged trivially and a user with a password authorized to carry out the 'alias' action can simply equate his address to one which is authorized to do some other action. Still, since the passwords themselves are hidden from view, it prevents casual password guessing.

Note that master passwords cannot be bound to addresses. If this is desired, it is best to create a subsidiary password authorized to do 'ALL'. Some sites may even choose not to give master passwords to list owners.

For information on how to actually set up and change passwords, see the help topics

config master_password
config passwords

and for information on how to apply passwords, see the 'admin approve' and 'admin default' help topics.

 

Last modified on June 15, 2005 by dlschmid

jump to content
jump to content Go to page top Page Top | OIT | PolicyDisclaimer