Sysadmin:Security
From UGCS
(Difference between revisions)
(add todo) |
|||
| Line 1: | Line 1: | ||
| − | =Known Problems= | + | ==Known Problems== |
*Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity | *Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity | ||
| − | =Probable Problems= | + | ==Probable Problems== |
* All the python we wrote needs to be double-checked | * All the python we wrote needs to be double-checked | ||
* Kerberos security holes that need to be patched urgently | * Kerberos security holes that need to be patched urgently | ||
| Line 9: | Line 9: | ||
** Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua | ** Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua | ||
| − | =Possible problems= | + | ==Possible problems== |
* Cfengine can be used to break into machines | * Cfengine can be used to break into machines | ||
| + | * Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges | ||
| − | =Policies= | + | ==Policies== |
| − | ==Password Resets== | + | ===Password Resets=== |
* If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff) | * If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff) | ||
* If they have a phone number in ldap, and we can call them on that, use it | * If they have a phone number in ldap, and we can call them on that, use it | ||
Revision as of 21:46, 8 October 2007
Contents |
Known Problems
- Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
Probable Problems
- All the python we wrote needs to be double-checked
- Kerberos security holes that need to be patched urgently
- krb5-admin-server: up to date on zeus and that's all we need to worry about in terms of major major exploits at the moment --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua
Possible problems
- Cfengine can be used to break into machines
- Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges
Policies
Password Resets
- If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff)
- If they have a phone number in ldap, and we can call them on that, use it
