Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#346 closed task (wontfix)

MapGuide upload permissions too open

Reported by: jbirch Owned by: sac@…
Priority: normal Milestone:
Component: SysAdmin Keywords:
Cc: tomfukushima, robertbray

Description

Currently, the mapguide download folder is writable by any user in the users group.

Could you please create a "mapguide" group so that we can better control write access to this directory structure?

Change History (3)

comment:1 by warmerdam, 15 years ago

Resolution: wontfix
Status: newclosed

Jason,

Currently there should be several folks with accounts on upload.osgeo.org who can use sudo to create new groups as required.

Note that essentially all users on this system have sudo access to restrictive permissions will be at best a clue to others that they should not be messing in this directory. It won't actually prevent access. So perhaps it is sufficient to keep an occasional eye on things?

comment:2 by jbirch, 15 years ago

Summary: MapGuide download permissions too openMapGuide upload permissions too open

My main concern was that if an account got compromised (which is a reasonable possibility since we aren't requiring SSL for all LDAP-based services, such as Trac logins) then the MapGuide downloads could be compromised. With most accounts on that server having wheel, I guess the initial request is pointless :)

I'm not sure how we could keep an eye on things; is there some kind of change log for files on that share? I think Howard suggested using SVN to store MD5 strings of the files. That's not a bad idea at all. I don't think that the MapGuide Drupal site is under LDAP yet, so continuing to post the md5 sums on a web page there is probably enough isolation still.

I was thinking about some kind of automated process to check the files against md5 sums in SVN, but to be efficient that process would have to reside on the same server, so it's not really much additional protection.

comment:3 by warmerdam, 15 years ago

Jason,

The download server offers rsync downloads. You might want to setup a server on which the files are rsync'ed and checked. Currently the files are already rsynced to osgeo2, so if you wanted to setup an md5 checksum tester, that might be a good place.

Alternatively, we could go back to using local accounts instead of LDAP accounts for access to the telascience blades, and reduce the risk of a compromise due to LDAP account breakage.

Note: See TracTickets for help on using tickets.