Re: June status update for Fedora Infrastructure Apprentices
On 06/06/2014 10:23 PM, Kevin Fenzi wrote: Greetings. You are getting this email because you are in the 'fi-apprentice' group in the fedora account system (or are reading this on the infrastructure list). Feel free to reply just directly to me, or cc the infrastructure list for everyone to see and comment on. https://fedoraproject.org/wiki/Infrastructure_Apprentice At the first of every month(or so), I am going to be sending out an email like this one. I would like feedback on how things are going for you. I'd like to ask for everyone to send me a quick reply with the following data or anything related you can think of that might help us make the apprentice program more useful. 0. Whats your fedora account system login? axilleas 1. Have you logged in and used your fi-apprentice membership to look at our machines/setup in the last month? Do you plan to? Unfortunately, no... It's been a pretty busy month, hopefully I'll have some more time the following ones. 2. Has it helped you decide any area you wish to focus on or contribute to more? 3. Have you looked at or been able to work on any of the fi-apprentice 'easyfix' tickets? https://fedorahosted.org/fedora-infrastructure/report/14 Yes, in particular #4290, #3792, #4212, #2931, #3617, but didn't find the time yet to work on some. #4290 looks like the perfect candidate to get someone started on working with ansible. 4. Do you still wish to be a member of the group? If not (for whatever reason) could you provide any hints to help others down the road? Of course :) 5. Is there any help or communication or ideas you have that would help you do any of the above? 6. What do you find to be the hardest part of getting involved? Finding things to work on? Getting attention from others to help you? Finding tickets in your interest area? Time... 7. Have you been able to make any weekly irc meetings? Do you find them helpful or interesting? I have, but I've lost quite a few. Will get back on track on June 19 and afterwards since now I cannot make it the particular time the meeting occurs. You may see me online as I use znc. Oh, and I always read the logs :) 8. Whats your most used command in your bash history? (run: cut -d\ -f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed 's/.*//g' to see) (if using zsh: history 1| awk '{print $2}' | sort | uniq -c | sort -rn | head -n1 ) I use zsh and I had to remove the 1 after history ;) So, my top used command is: 1100 git Any other general feedback is also quite welcome, including improvements to this email, the wiki page, etc. Any folks I do not hear from in the next week will be removed from the group. (Note that it's easy to be readded when you have time or whatever and it's nothing at all personal, we just want to keep the group up to date with active folks). Thanks, and looking forward to your feedback! kevin -- FAS : axilleas GPG : 0xABF99BE5 Blog: http://axilleas.me ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: June status update for Fedora Infrastructure Apprentices
0. Whats your fedora account system login? tiansworld 1. Have you logged in and used your fi-apprentice membership to look at our machines/setup in the last month? Do you plan to? No, I tried to login, but was denied. It seems that I'm not in the group. But I'm willing to log in to explore the machines and give any help that I can. (I am not a admin and I don't have server maintenance experience.) 2. Has it helped you decide any area you wish to focus on or contribute to more? 3. Have you looked at or been able to work on any of the fi-apprentice 'easyfix' tickets? https://fedorahosted.org/fedora-infrastructure/report/14 Not yet. 4. Do you still wish to be a member of the group? If not (for whatever reason) could you provide any hints to help others down the road? Yes 5. Is there any help or communication or ideas you have that would help you do any of the above? No 6. What do you find to be the hardest part of getting involved? Finding things to work on? Getting attention from others to help you? Finding tickets in your interest area? Finding things to work on. I am not system admin, and I don't have any experience on this area. So it's really hard for me to find what I can do in infrastructure team. Also lots of my time are contributed to Fedora L10n. But I am still glad to do something helpful here. 7. Have you been able to make any weekly irc meetings? Do you find them helpful or interesting? Haven't attended any infrastructure weekly irc meetings. 8. Whats your most used command in your bash history? (run: cut -d\ -f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed 's/.*//g' to see) (if using zsh: history 1| awk '{print $2}' | sort | uniq -c | sort -rn | head -n1 ) 74 ssh Mostly I use ssh to access my raspberry pi and my parents' machine, some time I ssh to fedora-docs to fix some bugs. -- Regards, Tian Shixiong (Tiansworld) Fedora Project Contributor ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: June status update for Fedora Infrastructure Apprentices
On Fri, 2014-06-06 at 13:23 -0600, Kevin Fenzi wrote: 0. Whats your fedora account system login? bochecha 1. Have you logged in and used your fi-apprentice membership to look at our machines/setup in the last month? Do you plan to? I did, looking at the way the lookaside cache is deployed in Puppet. 2. Has it helped you decide any area you wish to focus on or contribute to more? No, I knew already. 3. Have you looked at or been able to work on any of the fi-apprentice 'easyfix' tickets? https://fedorahosted.org/fedora-infrastructure/report/14 I didn't look. 4. Do you still wish to be a member of the group? Yes. 5. Is there any help or communication or ideas you have that would help you do any of the above? Can you make my days last 40 hours? :) 6. What do you find to be the hardest part of getting involved? Finding things to work on? Getting attention from others to help you? Finding tickets in your interest area? Nothing's hard, just need time to get things done. 7. Have you been able to make any weekly irc meetings? Do you find them helpful or interesting? I think I managed to make one. It was interesting. 8. Whats your most used command in your bash history? (run: cut -d\ -f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed 's/.*//g' to see) 531 git That came to me as a surprise, but thinking about it, it actually makes a lot of sense, given how often I use « git rebase -i » :) -- Mathieu ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: June status update for Fedora Infrastructure Apprentices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Kevin -- let me know if I should move off this list since I'm back working for Red Hat. I'm happy to stay but I'm definitely well-integrated into Fedora now. :) Anyway: On 6/6/2014 3:23 PM, Kevin Fenzi wrote: Greetings. You are getting this email because you are in the 'fi-apprentice' group in the fedora account system (or are reading this on the infrastructure list). Feel free to reply just directly to me, or cc the infrastructure list for everyone to see and comment on. https://fedoraproject.org/wiki/Infrastructure_Apprentice At the first of every month(or so), I am going to be sending out an email like this one. I would like feedback on how things are going for you. I'd like to ask for everyone to send me a quick reply with the following data or anything related you can think of that might help us make the apprentice program more useful. 0. Whats your fedora account system login? oddshocks 1. Have you logged in and used your fi-apprentice membership to look at our machines/setup in the last month? Do you plan to? Working with cloud stuff right now 2. Has it helped you decide any area you wish to focus on or contribute to more? Working with cloud image uploading right now :) 3. Have you looked at or been able to work on any of the fi-apprentice 'easyfix' tickets? https://fedorahosted.org/fedora-infrastructure/report/14 Workin' on my own tickets ATM, but might file an easyfix or two on my own project. I can help apprentices contribute no problem. :D 4. Do you still wish to be a member of the group? If not (for whatever reason) could you provide any hints to help others down the road? See above. Possibly should graduate from this group. 5. Is there any help or communication or ideas you have that would help you do any of the above? Nope, all set! 6. What do you find to be the hardest part of getting involved? Finding things to work on? Getting attention from others to help you? Finding tickets in your interest area? I'm definitely fully-involved now. :) 7. Have you been able to make any weekly irc meetings? Do you find them helpful or interesting? Every week! Infra and Cloud SIG. _Always_ helpful. 8. Whats your most used command in your bash history? (run: cut -d\ -f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed 's/.*//g' to see) (if using zsh: history 1| awk '{print $2}' | sort | uniq -c | sort -rn | head -n1 ) Well, I just spun up this Fedora VM a few weeks back and have been only using it for my Fedora work, but here goes: ... well, it's `ls`. ;) BONUS: Useful alias: `alias sl=ls` ;) Any other general feedback is also quite welcome, including improvements to this email, the wiki page, etc. Any folks I do not hear from in the next week will be removed from the group. (Note that it's easy to be readded when you have time or whatever and it's nothing at all personal, we just want to keep the group up to date with active folks). Thanks, and looking forward to your feedback! kevin ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTkxQ7AAoJEK95NtchimwTTNQH/jLsmOI1npdgBYJCwgoYUMuO Z7QAdV+40GMGWp6acrYaczY/pfTt2ycGmSJ+27uFAf+bW8gNRcAJGBrFxa2EXhAV F9apUASgisN/pJPeYt14tUA1wFqHPvh8xKYVPk3LlidHqGhef82DHl19x8bQ9atr 1ymh+esZBJNZwatffDm0vbmF00hHG+ce9MsHcWmZPOTQ0fFQQRD72SdnGvficqdm SbTQxdbvzW7+5tD9FhUSuIPEtwDT/v/0W/cPPNq7V8N7k/a+NXJPt06CvJNu4TrX Cmn+tZMOhRri2SJyrVy8vuyg0v6jsx7+ZfPzj87FNNJd05O+NH5p+KxE1pRXyxs= =1yVX -END PGP SIGNATURE- ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
Le mercredi 04 juin 2014 à 19:45 -0600, Tim Flink a écrit : I've been working to rewrite and extend the script that we've been using to control playbook execution for folks who are not in sysadmin-main. https://bitbucket.org/tflink/rbac-ansible I've been testing the script but before we actually start using it on lockbox01, I'd appreciate a review of the code to make sure I didn't miss any security holes. Injection attacks shouldn't be an issue due to usage of os.execv - all injection attempts are grouped as a single argument and will not be broken up. So, I just have one question. how does the option -P of the script is supposed to behave ? Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. Example, the playbook that deploy mediawiki would deploy mediawiki on my server, then i can go as root look at the mysql credentials deployed in the configuration file. Or I can look at the https certificates that were deployed, etc, etc. I do not know if such attack schema would matter for Fedora infra, but if the user running ansible ( after sudo, is sudoed a word ? ) has access to passwords that the initial user don't, and if there is no firewall internally ( ie, the tunnel trick would work, no firewall between lockbock and the server ), and if the attack/initial user can ssh to a server without much access, then, this would work. ( if not, I may just have won the Oscar for the most convoluted attack of the week ) -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
mmm, for your attack strategy to work, basically the attacker need to have enough permissions in the first place to be able to execute the playbook such that the playbooks have access to the mysql secret? And if he already has that kinda permission, then there is no need to do a setup first and then read it coz the attacker can read it upfront without doing the setup. I think this is controlled by the.. def can_run(acl, groups, playbook_file): ? On Sat, Jun 7, 2014 at 8:56 PM, Michael Scherer m...@zarb.org wrote: Le mercredi 04 juin 2014 à 19:45 -0600, Tim Flink a écrit : I've been working to rewrite and extend the script that we've been using to control playbook execution for folks who are not in sysadmin-main. https://bitbucket.org/tflink/rbac-ansible I've been testing the script but before we actually start using it on lockbox01, I'd appreciate a review of the code to make sure I didn't miss any security holes. Injection attacks shouldn't be an issue due to usage of os.execv - all injection attempts are grouped as a single argument and will not be broken up. So, I just have one question. how does the option -P of the script is supposed to behave ? Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. Example, the playbook that deploy mediawiki would deploy mediawiki on my server, then i can go as root look at the mysql credentials deployed in the configuration file. Or I can look at the https certificates that were deployed, etc, etc. I do not know if such attack schema would matter for Fedora infra, but if the user running ansible ( after sudo, is sudoed a word ? ) has access to passwords that the initial user don't, and if there is no firewall internally ( ie, the tunnel trick would work, no firewall between lockbock and the server ), and if the attack/initial user can ssh to a server without much access, then, this would work. ( if not, I may just have won the Oscar for the most convoluted attack of the week ) -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
Le samedi 07 juin 2014 à 21:28 +0530, Anshu Prateek a écrit : mmm, for your attack strategy to work, basically the attacker need to have enough permissions in the first place to be able to execute the playbook such that the playbooks have access to the mysql secret? And if he already has that kinda permission, then there is no need to do a setup first and then read it coz the attacker can read it upfront without doing the setup. Then why do we use sudo and a filtering script if a attacker can inject any playbook ? My understanding was that people did have to commit first before being able to run something ( in order to provide auditing ), and that the sudo user do have access to stuff that the user/attacker don't ( like ssh keys, for example ). My understanding was also that there is a private repo is not readable by everybody, with various password, but that the user running ansible ( ie, the one accessible by sudo ) can read. And that sudo is used to make sure the initial user can only run ansible, nothing ore. If these assumptions are false, yeah, the attacker is more complex than needed. But as the idea is to permit to people who are not in sysadmin-main to run playbooks, I think my assumptions are correct. -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
On Sat, Jun 07, 2014 at 04:26:45PM +0100, Michael Scherer wrote: Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I hope it still is. If the attacker was administrative access a host, then it could also be changed to forward connections to port 22 to another host. So even without being able to specify the port, this might be exploited. Regards Till ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
On Sat, 07 Jun 2014 17:48:16 +0100 Michael Scherer m...@zarb.org wrote: Le samedi 07 juin 2014 à 21:28 +0530, Anshu Prateek a écrit : mmm, for your attack strategy to work, basically the attacker need to have enough permissions in the first place to be able to execute the playbook such that the playbooks have access to the mysql secret? And if he already has that kinda permission, then there is no need to do a setup first and then read it coz the attacker can read it upfront without doing the setup. Then why do we use sudo and a filtering script if a attacker can inject any playbook ? They cannot. It requires them to be in the checked out location on lockbox that uses could only update by having root on lockbox or commiting to git. My understanding was that people did have to commit first before being able to run something ( in order to provide auditing ), and that the sudo user do have access to stuff that the user/attacker don't ( like ssh keys, for example ). My understanding was also that there is a private repo is not readable by everybody, with various password, but that the user running ansible ( ie, the one accessible by sudo ) can read. Yep. sudo is used to see if the user is allowed to run rbac-playbook at all, then it checks further before running ansible-playbook. And that sudo is used to make sure the initial user can only run ansible, nothing ore. well, rbac-playbook then ansible-playbook, but yeah. If these assumptions are false, yeah, the attacker is more complex than needed. But as the idea is to permit to people who are not in sysadmin-main to run playbooks, I think my assumptions are correct. Right. kevin signature.asc Description: PGP signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
On Sat, 7 Jun 2014 19:31:33 +0200 Till Maas opensou...@till.name wrote: As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I hope it still is. ...snip... It is. kevin signature.asc Description: PGP signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
Le samedi 07 juin 2014 à 19:31 +0200, Till Maas a écrit : On Sat, Jun 07, 2014 at 04:26:45PM +0100, Michael Scherer wrote: Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I do not see that in /etc/ssh/ssh_config on lockbox ( could be in ~/.ssh/config however ), nor anything in /etc/ansible/ansible.cfg ( could again be a local config somewhere else ). I didn't find anything making see a different ~/.ssh/config, nor ~/.ansible/* , so I think the default is used, which is 'ask'. And after a quick crude test, if you have ssh listening on 2 ports, ssh will treat each as a different entry in known_hosts, and so ask again. ( or at least on my laptop, I didn't dig more given the hour, will try to search a bit more ). So while I am not affirmative at 100% ( again, could be different in the precise case of ansible in Fedora infra, could be one of the 360 lines of my own ssh config, could be me being tired ), I would not exclude a possible issue with what I do see. I hope it still is. If the attacker was administrative access a host, then it could also be changed to forward connections to port 22 to another host. So even without being able to specify the port, this might be exploited. -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure