[SAC] Re: [OSGeo] #346: MapGuide upload permissions too open
OSGeo
trac_osgeo at osgeo.org
Sat Mar 28 16:17:53 EDT 2009
#346: MapGuide upload permissions too open
----------------------+-----------------------------------------------------
Reporter: jbirch | Owner: sac at lists.osgeo.org
Type: task | Status: closed
Priority: normal | Component: SAC
Resolution: wontfix | Keywords:
----------------------+-----------------------------------------------------
Changes (by jbirch):
* summary: MapGuide download permissions too open => MapGuide upload
permissions too open
Comment:
My main concern was that if an account got compromised (which is a
reasonable possibility since we aren't requiring SSL for all LDAP-based
services, such as Trac logins) then the MapGuide downloads could be
compromised. With most accounts on that server having wheel, I guess the
initial request is pointless :)
I'm not sure how we could keep an eye on things; is there some kind of
change log for files on that share? I think Howard suggested using SVN to
store MD5 strings of the files. That's not a bad idea at all. I don't
think that the MapGuide Drupal site is under LDAP yet, so continuing to
post the md5 sums on a web page there is probably enough isolation still.
I was thinking about some kind of automated process to check the files
against md5 sums in SVN, but to be efficient that process would have to
reside on the same server, so it's not really much additional protection.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/346#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
More information about the Sac
mailing list