Validate=
Validate= No | Yes[,Confirm[,NoPW]] | All,Confirm[,NoPW]]
The Validate= keyword determines what level of validation (if any) is performed for various LISTSERV commands that apply to individual lists. There are six different settings ranging from very basic to very strict. The two most common settings are (arguably) "Validate= No" and "Validate= Yes".
Lists are protected from hackers at the most basic level by the fact that a list PUT operation always requires validation, regardless of the setting of the Validate= keyword. In other words, the list owner or LISTSERV postmaster must always use a personal password (set with the PW ADD command) when he sends an updated version either of the list header or of the entire list back to the server, even if "Validate= No". This is to protect you from network hackers who might issue a command "from" your userid@host address to change list settings, such as who has the ability to GET and PUT the list, review concealed subscribers, etc. The default for this keyword is "Validate= No", but it is recommended that "serious" or "important" lists be changed to at least "Validate= Yes".
When "Validate= Yes", password validation applies to so-called "protected" commands (all of the commands that modify the contents of the list, for example ADD, DELETE, SIGNOFF, etc.--but not SUBscribe or SET). This implies that hackers cannot use these "protected" commands since they do not know the list owner's or LISTSERV postmaster's personal password. While at first glance this would also seem to mean that legitimate subscribers cannot use the SIGNOFF command, that is not the case, because for lists operating with "Validate= Yes" (i.e., without the "Confirm" option), LISTSERV may still use the "OK" mechanism in certain cases if it is deemed appropriate. LISTSERV's rationale is that the "Validate=" keyword describes the desired behavior for interaction with the list owner and people who can be expected to use the list on a regular basis. SIGNOFF requests from legitimate subscribers and DELETE requests from registered node administrators (NADs) on behalf of a user on their machine, for instance, may be validated using the "OK" mechanism even though that was not requested, because users and node administrators are not generally expected to have a password with which to validate such requests.
A notable exception to the list of "protected" commands is the SUBscribe command, which can still be used (if enabled, for example, if "Subscription= Open") to get on the list; however, when "Validate= Yes", sending a second SUBscribe command for the same list (for instance, to correct a spelling error in your name) would result in the command being forwarded to the list owner and not immediately executed.
Also note that the SET command used to set various personal subscription options is not a "protected" command and may be issued without need for validation even when "Validate= Yes".
A rundown of the six different settings and what they mean follows:
- "Validate= No": all commands except PUT are taken at face value with no validation. While users are not bothered with validation requests, the list is almost totally unprotected from attacks by hackers. For compatibility reasons, this is the default setting.
- "Validate= Yes": "protected" commands, such as DELETE or ADD, require password validation. For list owner commands, personal passwords set with the PW ADD command are accepted. Some user commands may accept a personal password, while others will cause the request to be forwarded to the list owners for verification. Other "protected" commands include GET, but do not include SUB or SET.
- "Validate= Yes,Confirm": protected commands are validated using the "OK" mechanism by default, although personal passwords are also accepted where appropriate. This is a good compromise between list security and list owner convenience.
- "Validate= Yes,Confirm,NoPW": protected commands are always validated using the "OK" mechanism. Passwords are not accepted, as they are not as safe as "cookies". This is the recommended setting for secure lists. Note that lists with this setting cannot be managed via the Web Management Interface.
- "Validate= All,Confirm": all commands causing a change in state, except the PUT command (which is always password-validated), are validated using the "OK" mechanism by default, although personal passwords are also accepted where appropriate. "Protected" commands (see above) are included in the class of commands that cause a change of state. Non-"protected" commands that cause a change in state include SUB and SET.
- "Validate= All,Confirm,NoPW": all commands causing a change in state (except PUT, as noted above) are always validated using the "OK" mechanism; passwords are not accepted, as with "Validate= Yes,Confirm,NoPW". Note that lists with this setting cannot be managed via the Web Management Interface.
Informational commands such as QUERY, SHOW, INDEX and REVIEW do not require any validation, regardless of the setting of Validate=.
Requests originating on the local machine via CP MSG or CP SMSG (on z/VM systems) or originating on the local machine via LCMD (on Unix and Windows systems) never require validation, as they cannot be forged.
In all cases save one, the PUT command must always be validated with the personal password of the list owner or LISTSERV postmaster who is executing the PUT operation. This is because LISTSERV is not currently able to (1) suspend the execution of your PUT command, (2) store your list header or other file in a temporary file, and (3) wait for your "OK" before executing the PUT. If your password is used only for the purpose of validating PUT commands, any password exposure is minimal as PUT operations are not part of everyday list management routine.
z/VM users should note that PUT requests require no validation when submitted via CMS SENDFILE from the machine on which LISTSERV is running, as the operating system itself guarantees the authenticity of the transaction (and thus there is no need to store the file you are PUTting and wait for an "OK"). This is the only case in which a PUT operation does not require a password.
Table B.1 shows how LISTSERV commands are influenced by the Validate= keyword under different settings. Some redundant commands (e.g., JOIN, LEAVE, and UNSUBscribe) are not documented in the table, but behave exactly as do their "official" counterparts (e.g., JOIN behaves exactly as does SUBSCRIBE). Some commands never require validation but are included for completeness because they are specifically "list-level" commands. If a command is not otherwise listed below, it is not influenced in any way by the Validate= keyword.
NONE = does not require any validation
PW = requires password validation
OK = requires OK validation, will not accept PW validation
OK/PW = requires OK validation by default but will also accept PW validation
|
Validate= setting is: |
|||||
Command |
No |
Yes |
Yes, Confirm |
Yes, Confirm, NoPW |
All, Confirm |
All, Confirm, NoPW |
ADD(*) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
CHANGE(**) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
CONFIRM |
NONE |
NONE |
NONE |
NONE |
NONE |
NONE |
DELETE(*) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
FREE(*) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
GET(***) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
GETPOST |
NONE |
NONE |
NONE |
NONE |
NONE |
NONE |
HOLD(*) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
INFO |
NONE |
NONE |
NONE |
NONE |
NONE |
NONE |
PUT(*) |
PW |
PW |
PW |
PW |
PW |
PW |
QUERY |
NONE |
NONE |
NONE |
NONE |
NONE |
NONE |
REVIEW |
NONE |
NONE |
NONE |
NONE |
OK/PW |
OK |
SCAN |
NONE |
NONE |
NONE |
NONE |
NONE |
NONE |
SEARCH |
NONE |
NONE |
NONE |
NONE |
NONE |
NONE |
SET |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
SIGNOFF |
NONE |
NONE |
NONE |
NONE |
OK/PW |
OK |
SUBSCRIBE |
NONE |
NONE |
NONE |
NONE |
OK/PW |
OK |
UNLOCK(*) |
NONE |
PW |
OK/PW |
OK |
OK/PW |
OK |
Table B.1. LISTSERV list-level commands and how they are affected by Validate=.
(*) All commands so marked may be issued only by a list owner or LISTSERV postmaster.
(**) The CHANGE command has two syntaxes, one for general users, one for list owners/postmasters. General users will always be required to use "OK" confirmation, regardless of the Validate= setting. The values in the table above are for the syntax issued by list owners or the LISTSERV postmaster(s).
(***) 'GET listname' may be issued only by a list owner or LISTSERV postmaster. General users may issue GET commands for notebook archives and/or files listed in the list's file catalog and with appropriate GET FACs only.
Please note carefully that Table B.1 assumes that you have defined default values for most keywords. For instance, the SUBSCRIBE command will require an "OK" confirmation if you have "Subscription= Open,Confirm" and "Validate= No"; REVIEW will only be available depending on how you have the "Review=" keyword set; GETPOST and SEARCH may require passwords depending on the "Notebook=" setting; etc. However none of these conditions are influenced directly by "Validate=" except as noted in the table.
In some cases, "Validate= Yes" will cause an "OK" request to go out instead of requiring a password (i.e., if no password was included with the command). This is to avoid confusion on the part of a subscriber who may or may not have a LISTSERV password and who may not understand why he is being asked to provide a password before a given command will work.
Note also that even with "Validate= No" some users may be required to confirm commands with the "OK" method if they are sending commands via a web browser and WEB_BROWSER_CONFIRM= is set to 1 (although in modern versions of LISTSERV, the WEB_BROWSER_CONFIRM= default is 0, or disabled) in the site configuration file.