On 2/22/16 2:11 AM, Legoktm wrote:
Hi,
On 02/21/2016 07:46 PM, Andrew Bogott wrote:
Most labs projects have permissive sudo policies by default. A few
have locked down policies, and those projects have been closely checked.
Nonetheless, for completeness here are projects that were temporarily
less secure: 'catgraph', 'translatesvg', 'toolsbeta', 'jawiki',
'wmve-techteam', 'utrs', 'wmt', 'bastion', 'project-proxy',
'mediawiki-verp', 'glam', 'wlmjudging', 'tools',
'account-creation-assistance'
To clarify, these projects should specifically be checked because they
don't have "permissive sudo policies"? Could you expand on what you mean
by that?
Yes, sorry, I'll try again :)
New labs projects by default provide complete sudo access to all
members. Most labs projects preserve those initial settings -- that
means that most projects were untouched by this issue, because they
/already/ had the policy that was inadvertently applied.
The above list is all of the projects that no longer retained the
default permissive policy (as of late January) and therefore had their
sudo policies expanded by the errant rules applied on the 12th.
Fortunately, most of the projects in the above list fall in to one or
more of these categories:
- All users are projectadmins, thus effectively providing full access to
all potential logins
- No active VMs, thus nothing to exploit
That combined with auth log auditing leaves me relatively unconcerned
about projects other than bastion and tools (they being both active and
containing a large number of non-root users).
I hope that makes more sense!
-Andrew
-- Legoktm
_______________________________________________
Labs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/labs-l
_______________________________________________
Labs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/labs-l
