[Labs-l] [Labs-announce] sudo vulnerability in toollabs

[Andrew Bogott]

On 2/22/16 2:11 AM, Legoktm wrote:
> Hi,
>
> On 02/21/2016 07:46 PM, Andrew Bogott wrote:
>>      Most labs projects have permissive sudo policies by default.  A few
>> have locked down policies, and those projects have been closely checked.
>>   Nonetheless, for completeness here are projects that were temporarily
>> less secure:  'catgraph', 'translatesvg', 'toolsbeta', 'jawiki',
>> 'wmve-techteam', 'utrs', 'wmt', 'bastion', 'project-proxy',
>> 'mediawiki-verp', 'glam', 'wlmjudging', 'tools',
>> 'account-creation-assistance'
> To clarify, these projects should specifically be checked because they
> don't have "permissive sudo policies"? Could you expand on what you mean
> by that?

Yes, sorry, I'll try again :)

New labs projects by default provide complete sudo access to all 
members.  Most labs projects preserve those initial settings -- that 
means that most projects were untouched by this issue, because they 
/already/ had the policy that was inadvertently applied.

The above list is all of the projects that no longer retained the 
default permissive policy (as of late January) and therefore had their 
sudo policies expanded by the errant rules applied on the 12th.

Fortunately, most of the projects in the above list fall in to one or 
more of these categories:

- All users are projectadmins, thus effectively providing full access to 
all potential logins
- No active VMs, thus nothing to exploit

That combined with auth log auditing leaves me relatively unconcerned 
about projects other than bastion and tools (they being both active and 
containing a large number of non-root users).

I hope that makes more sense!

-Andrew


>
> -- Legoktm
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l