Configuration is created automatically by puppet, isn't it? Does it also include automated tests for this scenarios? If not - why? Thorough automated tests would have eliminated such mistakes.
Regards, [[User:Ilya]] On Mon, Feb 22, 2016 at 5:46 AM, Andrew Bogott <[email protected]> wrote: > - tl;dr > > We discovered a serious security vulnerability on toollabs. The > vulnerability is now closed, and there’s no evidence that it was > exploited. Nevertheless if you have private passwords stored on a toollabs > host, change them! > > > - Rambling explanation > > Earlier today it was pointed out to me that sudo policies within > Toollabs were overly permissive -- any user with a tools login was able to > sudo and potentially change their identity to root or to another user. > I've identified the cause of the vulnerability (my fault!) and closed it; > the incorrect policies were in effect from February 12th until earlier > today. > We have already investigated the 'to root' scenario and confirmed that > it's unlikely that any labs nodes are compromised -- even the bastion-01 > case is unlikely, but best to err on the side of caution. > I have not yet audited the 'user becoming a different user' case -- > that will be a big job and will most likely take much of the day tomorrow. > Even if the audit turns up nothing, though, it's technically possible that > someone might have snooped and later covered their tracks. Given that, I > recommend rotation of any passwords that provide access to sensitive data. > > > - What about other labs projects? > > Most labs projects have permissive sudo policies by default. A few > have locked down policies, and those projects have been closely checked. > Nonetheless, for completeness here are projects that were temporarily less > secure: 'catgraph', 'translatesvg', 'toolsbeta', 'jawiki', > 'wmve-techteam', 'utrs', 'wmt', 'bastion', 'project-proxy', > 'mediawiki-verp', 'glam', 'wlmjudging', 'tools', > 'account-creation-assistance' > Note that this vulnerability did not allow any user to access hosts > they were not authorized to -- project membership was properly enforced. > > > Sorry for the inconvenience! > > -Andrew > > _______________________________________________ > Labs-announce mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/labs-announce > _______________________________________________ > Labs-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/labs-l >
_______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
