Sysadmin:Security

Known Problems

• Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
• Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon
• CVE-2007-4995 openssl vulnerability - need to upgrade all core servers

Probable Problems

• All the python we wrote needs to be double-checked
• Machines need to be kept up to date at minimum once a week (every 3 days is preferable if time available)

Possible problems

• Cfengine can be used to break into machines

Fixed problems

• Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges
• Kerberos security holes that need to be patched urgently
  • krb5-admin-server: up to date on zeus and that's all we need to worry about in terms of major major exploits at the moment --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
• linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
  • Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua

Policies

Password Resets

• If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff)
• If they have a phone number in ldap, and we can call them on that, use it
• Use ssh pubkey to encrypt password if ssh key available
• If these fail, and their full name is listed on the UGCS account, confirm records with the Alumni Assoc.