[Labs-l] [Labs-announce] sudo vulnerability in toollabs
Marc-André Pelletier
mpelletier at wikimedia.org
Mon Feb 22 13:43:18 UTC 2016
On 16-02-22 03:26 AM, Ilya Korniyko wrote:
> Configuration is created automatically by puppet, isn't it?
> Does it also include automated tests for this scenarios? If not - why?
> Thorough automated tests would have eliminated such mistakes.
Not really in that particular case: The short of what happened is that
a migration inadvertently caused the default sudo policy rules to return
to all projects - including for those where they had been explicitly
removed and replaced with something more restrictive.
The end result, of course, is that people were able to sudo to root that
weren't *intended* to, but they /technically/ did so correctly according
to the configuration in place.
-- Marc
More information about the Labs-l
mailing list