[Labs-l] [Labs-announce] sudo vulnerability in toollabs
Ilya Korniyko
intracer at gmail.com
Mon Feb 22 08:26:50 UTC 2016
Configuration is created automatically by puppet, isn't it?
Does it also include automated tests for this scenarios? If not - why?
Thorough automated tests would have eliminated such mistakes.
Regards,
[[User:Ilya]]
On Mon, Feb 22, 2016 at 5:46 AM, Andrew Bogott <abogott at wikimedia.org>
wrote:
> - tl;dr
>
> We discovered a serious security vulnerability on toollabs. The
> vulnerability is now closed, and there’s no evidence that it was
> exploited. Nevertheless if you have private passwords stored on a toollabs
> host, change them!
>
>
> - Rambling explanation
>
> Earlier today it was pointed out to me that sudo policies within
> Toollabs were overly permissive -- any user with a tools login was able to
> sudo and potentially change their identity to root or to another user.
> I've identified the cause of the vulnerability (my fault!) and closed it;
> the incorrect policies were in effect from February 12th until earlier
> today.
> We have already investigated the 'to root' scenario and confirmed that
> it's unlikely that any labs nodes are compromised -- even the bastion-01
> case is unlikely, but best to err on the side of caution.
> I have not yet audited the 'user becoming a different user' case --
> that will be a big job and will most likely take much of the day tomorrow.
> Even if the audit turns up nothing, though, it's technically possible that
> someone might have snooped and later covered their tracks. Given that, I
> recommend rotation of any passwords that provide access to sensitive data.
>
>
> - What about other labs projects?
>
> Most labs projects have permissive sudo policies by default. A few
> have locked down policies, and those projects have been closely checked.
> Nonetheless, for completeness here are projects that were temporarily less
> secure: 'catgraph', 'translatesvg', 'toolsbeta', 'jawiki',
> 'wmve-techteam', 'utrs', 'wmt', 'bastion', 'project-proxy',
> 'mediawiki-verp', 'glam', 'wlmjudging', 'tools',
> 'account-creation-assistance'
> Note that this vulnerability did not allow any user to access hosts
> they were not authorized to -- project membership was properly enforced.
>
>
> Sorry for the inconvenience!
>
> -Andrew
>
> _______________________________________________
> Labs-announce mailing list
> Labs-announce at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-announce
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20160222/ef6eb7d7/attachment.html>
More information about the Labs-l
mailing list