[SAC] OSGeo security reminder ....

Alex Mandel tech_dev at wildintellect.com
Mon Apr 9 22:02:33 EDT 2012 

On 04/09/2012 03:28 PM, Martin Spott wrote:
> Hi folks,
> the Python script "ldap_group.py" (among others) contains the master
> LDAP admin password _hardcoded_ and is world-readable.
>
> Thus everybody having shell-access to this machine can read the most
> essential LDAP credits directly - and all the other ones are probably
> having easy read access via Apache modules with known security holes,
> because nobody of those who set this machine up had been taking care of
> applying at least the most essential security fixes.
>
> I wonder why people had been in favour of setting up that many
> different VM's if they are incapable of maintaining all these machines
> and don't understand at least the basics of IT security.
>
> Cheers,
> 	Martin.

The general purpose of the separation by vm is to prevent problems on 
one machine from encroaching on others and allow finer grained security 
(meaning groups can be given access to one without access to all). As is 
the case here, the machines with major LDAP functionality are not open 
to people outside of SAC and those are the people we want to be able to 
read that file. As for ensuring it can't be sniffed via apache exploits 
we should look into a solution.

I think you raise a good point and we should consider doing automatic 
security updates or a scheduled time each month. The biggest problem 
that poses is not doing major kernel upgrades on machines sensitive to 
changes in the kernel related to compiling (unlikely) or other custom 
built things with various version specific deps. Do you know how to 
implement auto security patching via apt preferences (Ubuntu has this 
option at install and I've read you can implement it after the fact)?
Based on that I would say everything but Projects and Adhoc could move 
to this auto-update option without much review.

In the future an email before disabling a major service except in the 
case of protection against and active problem (active hack,disk dying, 
etc,overheating servers, etc...) would be appreciated.

Thanks,
Alex

PS: Anyone else from SAC @ FOSS4G-na so we can talk in person about issues?

More information about the Sac mailing list