Re: [Emc-developers] the buildbot machine is ready
This is surely OT for the emc list, so further replies/comments will be off list. Just this last one on the list ;) Let me tell you, from PERSONAL experience, that there are professional bank criminals that are searching the net continuously for systems with snip Jon I'm still looking for an even more robust scheme, some kind of challenge/response that doesn't require a computer to formulate the response. Set up iptables to block everything (except public services like 80). Then use a port knocking program to temporarly open up ssh (or whatever port you need) only on request. Then you have a client for the knocking (on linux, windows, whatever) which sends some packets to a certain number of ports on your PC. Everything beeing blocked nothing happens, but the requests get logged, and the port knocking server looks int eh logs for certain patterns (say port 1000, 1200, 1300, 1207, 1507, etc.). Only when it sees a valid pattern it opens up port 22 for a couple of seconds. (or until the first connection is done). It really feels like one of the more robust security systems. Regards, Alex - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
Sebastian Kuzminsky wrote: # let the farm user run sudo make setuid without a password by adding this line to /etc/sudoers: farmer ALL = ALL, NOPASSWD: /usr/bin/make setuid This part raises a red flag for me, as I mentioned on IRC last night. If you set this passwordless sudo, then it is theoretically possible for somebody to check a trojan makefile into our CVS, and a few minutes later it would run on your box as root. If your buildbot system is a dedicated virtual machine used for nothing else, the risk is probably tolerable. I would NOT make this change to /etc/sudoers if farmer is a user on a non-virtual machine that you use for other things. The odds of such a thing happening are slim - Joe Hacker can't commit a trojan, only someone with commit access to the server could do it. And, the CVS logs would tell us exactly who it was, so we could give them the beating they so richly deserve. But the risk needs to be acknowledged. Note that the sudo make setuid step of the build process is NOT needed if all we want to do is test compiles. It IS needed if we want to run the test suite, which would be nice to do. (The current compile farm is not running the test suite.) I'm not sure if sim-only system need to run the make setuid step or not. We'll be hashing out the details over the next few days. Regards, John Kasunich - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
On Fri, Nov 14, 2008 at 03:09:43PM -0500, John Kasunich wrote: I'm not sure if sim-only system need to run the make setuid step or not. Nope. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
On Friday 14 November 2008 21:09:43 John Kasunich wrote: Sebastian Kuzminsky wrote: # let the farm user run sudo make setuid without a password by adding this line to /etc/sudoers: farmer ALL = ALL, NOPASSWD: /usr/bin/make setuid This part raises a red flag for me, as I mentioned on IRC last night. If you set this passwordless sudo, then it is theoretically possible for somebody to check a trojan makefile into our CVS, and a few minutes later it would run on your box as root. If your buildbot system is a dedicated virtual machine used for nothing else, the risk is probably tolerable. I would NOT make this change to /etc/sudoers if farmer is a user on a non-virtual machine that you use for other things. The odds of such a thing happening are slim - Joe Hacker can't commit a trojan, only someone with commit access to the server could do it. And, the CVS logs would tell us exactly who it was, so we could give them the beating they so richly deserve. But the risk needs to be acknowledged. They guy has root access to the machine, so he can manipulate the CVS database and obfuscate the commit. Heck, he can even start a telnet/ssh session or whatever. He's root! I don't think there is a solution for this, however. If you want to run a component of the repository (be it the makefile or the setuid programs itself) as root, you need to trust your committer. You could run it in qemu or whatever, but what is it good for then, if you don't have the real hardware access to test RT... (Two seperate machines could be a solution, well...) -- Greetings Michael. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
Michael Buesch wrote: On Friday 14 November 2008 21:09:43 John Kasunich wrote: Sebastian Kuzminsky wrote: # let the farm user run sudo make setuid without a password by adding this line to /etc/sudoers: farmer ALL = ALL, NOPASSWD: /usr/bin/make setuid This part raises a red flag for me, as I mentioned on IRC last night. If you set this passwordless sudo, then it is theoretically possible for somebody to check a trojan makefile into our CVS, and a few minutes later it would run on your box as root. If your buildbot system is a dedicated virtual machine used for nothing else, the risk is probably tolerable. I would NOT make this change to /etc/sudoers if farmer is a user on a non-virtual machine that you use for other things. The odds of such a thing happening are slim - Joe Hacker can't commit a trojan, only someone with commit access to the server could do it. And, the CVS logs would tell us exactly who it was, so we could give them the beating they so richly deserve. But the risk needs to be acknowledged. They guy has root access to the machine, so he can manipulate the CVS database and obfuscate the commit. The CVS database isn't on any machine that a malicious committer has access to. The attacker would only have root access on the slave machine, which uses an anonymous checkout from the CVS server. Heck, he can even start a telnet/ssh session or whatever. He's root! To what? Again, the hypothetical attacker has no login for the CVS server. I don't think there is a solution for this, however. If you want to run a component of the repository (be it the makefile or the setuid programs itself) as root, you need to trust your committer. These scripts don't run on the CVS server, they run on machines that volunteers (like you :) ) would set up. The potential issue is that you, as a volunteer, could allow root access to your machine. That's why John K suggested that a safe thing to do is to use a VM only. You could run it in qemu or whatever, but what is it good for then, if you don't have the real hardware access to test RT... (Two seperate machines could be a solution, well...) Yeah, RT testing opens up interesting issues. What if some RT module crashes the machine? Also the testing can't be comprehensive, since the buildbot machines are unlikely to have any hardware other than a parallel port (if that), so we can't actually test all of the RT drivers anyway. - Steve - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
Stephen Wille Padnos wrote: Yeah, RT testing opens up interesting issues. What if some RT module crashes the machine? Also the testing can't be comprehensive, since the buildbot machines are unlikely to have any hardware other than a parallel port (if that), so we can't actually test all of the RT drivers anyway. If a buildslave crashes, the buildmaster will notice it and send an email to the admin for that buildslave. And man oh man, I would love to set up a big Rube Goldberg machine to do actual physical-real-world testing. Steppers turning shafts with encoders, motors moving levers into switches, etc etc. It'd be awesome! You could have two machines next to each other, one running a trusted version of EMC2, administering the test to the experimental one. You could do actual closed-loop validation of the whole system. Just need a patron to fund house the test system... -- Sebastian Kuzminsky how many no money boys are crazy how many boys are raw how many no money boys are rowdy how many start a war - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
On Fri, 2008-11-14 at 14:14 -0700, Sebastian Kuzminsky wrote: Stephen Wille Padnos wrote: Yeah, RT testing opens up interesting issues. What if some RT module crashes the machine? Also the testing can't be comprehensive, since the buildbot machines are unlikely to have any hardware other than a parallel port (if that), so we can't actually test all of the RT drivers anyway. If a buildslave crashes, the buildmaster will notice it and send an email to the admin for that buildslave. And man oh man, I would love to set up a big Rube Goldberg machine to do actual physical-real-world testing. Steppers turning shafts with encoders, motors moving levers into switches, etc etc. It'd be awesome! You could have two machines next to each other, one running a trusted version of EMC2, administering the test to the experimental one. You could do actual closed-loop validation of the whole system. Just need a patron to fund house the test system... I don't understand this thread that well, but what are the basics of what is needed? A pair of Internet accessible PC's running EMC2, stepper and servo axes? I have a T1, static IP's, second hand PC's and a few other bits. Kirk http://www.wallacecompany.com/machine_shop/ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
On Friday 14 November 2008 21:58:56 Stephen Wille Padnos wrote: These scripts don't run on the CVS server, Ok, I thought this would run on the machine running the server. -- Greetings Michael. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
Kirk Wallace wrote: On Fri, 2008-11-14 at 14:14 -0700, Sebastian Kuzminsky wrote: Stephen Wille Padnos wrote: Yeah, RT testing opens up interesting issues. What if some RT module crashes the machine? Also the testing can't be comprehensive, since the buildbot machines are unlikely to have any hardware other than a parallel port (if that), so we can't actually test all of the RT drivers anyway. If a buildslave crashes, the buildmaster will notice it and send an email to the admin for that buildslave. And man oh man, I would love to set up a big Rube Goldberg machine to do actual physical-real-world testing. Steppers turning shafts with encoders, motors moving levers into switches, etc etc. It'd be awesome! You could have two machines next to each other, one running a trusted version of EMC2, administering the test to the experimental one. You could do actual closed-loop validation of the whole system. Just need a patron to fund house the test system... I don't understand this thread that well, but what are the basics of what is needed? A pair of Internet accessible PC's running EMC2, stepper and servo axes? I have a T1, static IP's, second hand PC's and a few other bits. Ignore my daydreaming above ;-) What we could use right now is a couple of machines that can check out and compile our software, and can run python code (buildbot and twisted). We dont need static IPs or anything fancy, though those things wont disqualify you. It's good but not necessary if the machines can stay up and be connected to the net for long periods of time. These computers would become buildslaves, which means they'd be pretty similar to what farm slots are in the current Compile Farm. -- Sebastian Kuzminsky how many no money boys are crazy how many boys are raw how many no money boys are rowdy how many start a war - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
Michael Buesch wrote: I don't think there is a solution for this, however. If you want to run a component of the repository (be it the makefile or the setuid programs itself) as root, you need to trust your committer. You can set sudo to allow only specific programs from specific directories to be executed. That includes even specific system command, like cp, mv, mkdir, etc. Jon - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers
Re: [Emc-developers] the buildbot machine is ready
It seems like a buildbot would be a great application to put on a live CD image have it boot and run possibly even no hard drive. It would even be possible to setup a cron job to reboot (view as purging memory based nasties). It is hard to hack a cdrom filesystem!. cheers On Fri, 2008-11-14 at 23:47 +0100, Michael Buesch wrote: On Friday 14 November 2008 23:34:27 Jon Elson wrote: Michael Buesch wrote: I don't think there is a solution for this, however. If you want to run a component of the repository (be it the makefile or the setuid programs itself) as root, you need to trust your committer. You can set sudo to allow only specific programs from specific directories to be executed. That includes even specific system command, like cp, mv, mkdir, etc. Yeah, well. But we _want_ the setuid applications from the emc2 repository to run as root. And a committer has full control over the sources... ;) No matter if you use sudo or some other mechanism. We use sudo in the first place to get setuid root bit set on those applications the attacker has full sourcecode control over. So the question really only is: 1) Do we need these root hacks do do proper tests? 2) If yes, can we setup a sandbox for the test? A an acceptable sandbox would probably only be to reset the complete harddisk image to a known state, make an emc2 checkout/compile/testrun and discard the harddisk contents. -- = Lawrence Glaister VE7IT mailto:[EMAIL PROTECTED] 1462 Madrona Drive Nanoose Bay, B.C.http://members.shaw.ca/swstuff Canada V9P 9C9 http://gspy.sourceforge.net = - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Emc-developers mailing list Emc-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-developers