Hi.
FWIW, I think that the problem identified by Thorsten on FusionForge
probably affects versions pre wheezy, hence my forwarding to the
security team.
This needs to be investigated, but I'm not really able to dedicate
myself to it at the moment.
Hope this helps.
Best regards,
--- Begin Message ---
On Thu, 30 Aug 2012, Thorsten Glaser wrote:
> I’m hereby seeking pre-upload approval for new uploads (not new
[…]
> • fusionforge_5.2~rc1wheezy1.debdiff
The diff attached will also need to be added to this upload
for security reasons. I found out today that deleted users
can still log in via SSH using their old pre-deletion password
(not with SSH pubkey auth, though, and they cannot do “much”,
but it’s still a security risk).
bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke
Index: debian/changelog
===================================================================
--- debian/changelog (revision 16198)
+++ debian/changelog (working copy)
@@ -11,8 +11,9 @@
* Check image upload is enabled before trying to do so (Closes: #679521)
* Unbreak and silence the MediaWiki nightly dump cronjob (Closes: #680165)
* Remove minified ECMAscript and binary *.jar from the source
+ * SECURITY: Upon user deletion, remove their Unix account as well
- -- Thorsten Glaser <[email protected]> Thu, 30 Aug 2012 11:06:02 +0200
+ -- Thorsten Glaser <[email protected]> Mon, 03 Sep 2012 11:55:51 +0200
fusionforge (5.2~rc1-5) unstable; urgency=low
Index: db/20120903-no-unix-account-for-deleted-users.sql
===================================================================
--- db/20120903-no-unix-account-for-deleted-users.sql (revision 0)
+++ db/20120903-no-unix-account-for-deleted-users.sql (revision 0)
@@ -0,0 +1 @@
+UPDATE users SET unix_status='D' WHERE status!='A';
Index: common/include/User.class.php
===================================================================
--- common/include/User.class.php (revision 16198)
+++ common/include/User.class.php (working copy)
@@ -502,6 +502,7 @@
plugin_hook("user_delete", $hook_params);
$this->setStatus('D');
+ $this->setUnixStatus('D');
db_commit();
}
return true;
_______________________________________________
Fusionforge-general mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
--- End Message ---
--
Olivier BERGER
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
