On 2016-05-12 5:54 PM, Huji Lee wrote:
I know with WordPress the issues is no about the spread of vulnerabilities from one server instance to another, but I wonder how Labs is secured against the latter specifically.
The security domain for labs is the project, not the instance; but they are otherwise insulated from each other so long as they do not share resources.
In particular, a system user has no privileges to hop from one instance to another and if no authentication credentials are stored in user accounts (which you really should not) and you do not use agent forwarding then you're as secure as can be within a visualization infrastructure.
If the WordPress instance is properly puppetized, then a wipe-and-recreate does the trick to cleanup after any incident.
-- Marc _______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
