[SAC] Re: Subject: [Technical Problem] can't register on trac

Martin Spott Martin.Spott at mgras.net
Tue Apr 10 02:00:36 EDT 2012 

On Mon, Apr 09, 2012 at 05:25:35PM -0700, Frank Warmerdam wrote:

> I have, for the time being, re-enabled the new user script.  You might
> want to use it promptly before Martin disables it again.

No, I won't disable it again.  Anyhow I'd like to remind that, by
running this setup, you/we are putting the crown jewels of OSGeo's
authentication system at risk.

Think of it this way: If you look at bit closer, you'll realize that
the simple act of running PHP on whichever webserver is widely being
considered as a security hole in its own.  I confess the statistics
might be a bit biased because of the many WordPress sites getting
hacked every day are counted in, but, anyhow, really sensitive sites
usually don't do this.

Now put a huge PHP-based web framework on top of that, containing more
PHP code than you probably ever read in your lifetime  ;-)
I'd say that's an even bigger risk - and then take into account, that
the system in question was almost completely unmaintained.  When I
looked at it yesterday evening, there were approx.  40 ! security
fixes pending - including updates to fix known issues in PHP and
OpenSSL.

And this site has scripts directly accessible ! from the Apache
webserver containing the core credentials for the LDAP authentication
system.  Do you think that's reponsible ?

Setting up cool stuff is one side of the medal, maintaining the stuff
is the other side.  If people are uncapable of maintaining that many
VM's, then I'd recommend not to run that many machines.  As a short
term solution for the Python scripts in question I'd propose to
consider moving the LDAP credentials out of the main script(s) into a
separate place which is not accessible from the web server - and to
make use of some include directive in order to refer to these
credentials from the respective Python scripts.
An alternative might be to set a specific environment for the Python
and then to refer to the values of environment variables for the
credentials.

Personally I'm regularly checking the secure, backup, wiki and projects
VM for pending updates and I know Markus Neteler is doing the same for
a couple of VM's as well.  In general I think it's reasonable to expect
from those who've been installing core services on any of the VM's to
maintain security updates there.

Cheers,
	Martin.
-- 
 Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

More information about the Sac mailing list