[SAC] OSGeo security reminder ....
Frank Warmerdam
warmerdam at pobox.com
Mon Apr 9 18:36:12 EDT 2012
On Mon, Apr 9, 2012 at 3:28 PM, Martin Spott <Martin.Spott at mgras.net> wrote:
> Hi folks,
> the Python script "ldap_group.py" (among others) contains the master
> LDAP admin password _hardcoded_ and is world-readable.
Martin,
It would be helpful to specify what system this is on.
> Thus everybody having shell-access to this machine can read the most
> essential LDAP credits directly - and all the other ones are probably
> having easy read access via Apache modules with known security holes,
> because nobody of those who set this machine up had been taking care of
> applying at least the most essential security fixes.
>
> I wonder why people had been in favour of setting up that many
> different VM's if they are incapable of maintaining all these machines
> and don't understand at least the basics of IT security.
...
> Ah, btw, as an immediate measure, I've changed these files to 640. As a
> consequence they probably don't work today.
I have confirmed you have broken the scripts. So how shall we deal with
this? Shall I just change it back? Or should I just go off in a huff in the
face of your actions?
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
More information about the Sac
mailing list