Sysadmin:Security

From UGCS

(Difference between revisions)

Revision as of 08:07, 22 October 2007

Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon

All the python we wrote needs to be double-checked
Machines need to be kept up to date at minimum once a week (every 3 days is preferable if time available)

Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges
Kerberos security holes that need to be patched urgently
- krb5-admin-server: up to date on zeus and that's all we need to worry about in terms of major major exploits at the moment --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua

If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff)
If they have a phone number in ldap, and we can call them on that, use it
Use ssh pubkey to encrypt password if ssh key available

@@ Line 1: / Line 1: @@
 ==Known Problems==
 *Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
+* Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon
 ==Probable Problems==