Sysadmin:Security
From UGCS
(Difference between revisions)
m (sigh.) |
m (fixed) |
||
| Line 2: | Line 2: | ||
*Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity | *Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity | ||
* Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon | * Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon | ||
| − | |||
==Probable Problems== | ==Probable Problems== | ||
| Line 18: | Line 17: | ||
* linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --[[User:Elizabeth@ugcs.caltech.edu|Elizabeth@ugcs.caltech.edu]] 05:56, 26 September 2007 (PDT) | * linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --[[User:Elizabeth@ugcs.caltech.edu|Elizabeth@ugcs.caltech.edu]] 05:56, 26 September 2007 (PDT) | ||
** Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua | ** Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua | ||
| + | * CVE-2007-4995 openssl vulnerability - need to upgrade all core servers | ||
| + | ** Note: debian's automated install does NOT auto-restart impacted services, so an lsof is needed to check for 'path inode' values indicating use of replaced library | ||
==Policies== | ==Policies== | ||
Revision as of 10:51, 24 October 2007
Contents |
Known Problems
- Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
- Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon
Probable Problems
- All the python we wrote needs to be double-checked
- Machines need to be kept up to date at minimum once a week (every 3 days is preferable if time available)
Possible problems
- Cfengine can be used to break into machines
Fixed problems
- Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges
- Kerberos security holes that need to be patched urgently
- krb5-admin-server: up to date on zeus and that's all we need to worry about in terms of major major exploits at the moment --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua
- CVE-2007-4995 openssl vulnerability - need to upgrade all core servers
- Note: debian's automated install does NOT auto-restart impacted services, so an lsof is needed to check for 'path inode' values indicating use of replaced library
Policies
Password Resets
- If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff)
- If they have a phone number in ldap, and we can call them on that, use it
- Use ssh pubkey to encrypt password if ssh key available
- If these fail, and their full name is listed on the UGCS account, confirm records with the Alumni Assoc.
