Re: June status update for Fedora Infrastructure Apprentices
On 06/06/2014 10:23 PM, Kevin Fenzi wrote:
Greetings.
You are getting this email because you are in the 'fi-apprentice'
group in the fedora account system (or are reading this on the
infrastructure list).
Feel free to reply just directly to me, or cc the infrastructure
list for everyone to see and comment on.
https://fedoraproject.org/wiki/Infrastructure_Apprentice
At the first of every month(or so), I am going to be sending out
an email like this one. I would like feedback on how things are
going for you.
I'd like to ask for everyone to send me a quick reply with the
following data or anything related you can think of that might help
us make the apprentice program more useful.
0. Whats your fedora account system login?
axilleas
1. Have you logged in and used your fi-apprentice membership to
look at our machines/setup in the last month? Do you plan to?
Unfortunately, no... It's been a pretty busy month, hopefully I'll
have some more time the following ones.
2. Has it helped you decide any area you wish to focus on or
contribute to more?
3. Have you looked at or been able to work on any of the
fi-apprentice 'easyfix' tickets?
https://fedorahosted.org/fedora-infrastructure/report/14
Yes, in particular #4290, #3792, #4212, #2931, #3617, but didn't find
the time yet to work on some. #4290 looks like the perfect candidate
to get someone started on working with ansible.
4. Do you still wish to be a member of the group? If not (for
whatever reason) could you provide any hints to help others down
the road?
Of course :)
5. Is there any help or communication or ideas you have that would
help you do any of the above?
6. What do you find to be the hardest part of getting involved?
Finding things to work on? Getting attention from others to help
you? Finding tickets in your interest area?
Time...
7. Have you been able to make any weekly irc meetings? Do you find
them helpful or interesting?
I have, but I've lost quite a few. Will get back on track on June 19
and afterwards since now I cannot make it the particular time the
meeting occurs. You may see me online as I use znc. Oh, and I always
read the logs :)
8. Whats your most used command in your bash history? (run: cut -d\
-f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed
's/.*//g' to see) (if using zsh: history 1| awk '{print $2}' |
sort | uniq -c | sort -rn | head -n1 )
I use zsh and I had to remove the 1 after history ;) So, my top used
command is:
1100 git
Any other general feedback is also quite welcome, including
improvements to this email, the wiki page, etc.
Any folks I do not hear from in the next week will be removed from
the group. (Note that it's easy to be readded when you have time
or whatever and it's nothing at all personal, we just want to keep
the group up to date with active folks).
Thanks, and looking forward to your feedback!
kevin
--
FAS : axilleas
GPG : 0xABF99BE5
Blog: http://axilleas.me
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: June status update for Fedora Infrastructure Apprentices
0. Whats your fedora account system login?
tiansworld
1. Have you logged in and used your fi-apprentice membership to look at
our machines/setup in the last month? Do you plan to?
No, I tried to login, but was denied. It seems that I'm not in the group.
But I'm willing to log in to explore the machines and give any help that I
can. (I am not a admin and I don't have server maintenance experience.)
2. Has it helped you decide any area you wish to focus on or contribute
to more?
3. Have you looked at or been able to work on any of the fi-apprentice
'easyfix' tickets?
https://fedorahosted.org/fedora-infrastructure/report/14
Not yet.
4. Do you still wish to be a member of the group? If not (for whatever
reason) could you provide any hints to help others down the road?
Yes
5. Is there any help or communication or ideas you have that would help
you do any of the above?
No
6. What do you find to be the hardest part of getting involved?
Finding things to work on? Getting attention from others to help you?
Finding tickets in your interest area?
Finding things to work on.
I am not system admin, and I don't have any experience on this area. So
it's really hard for me to find what I can do in infrastructure team. Also
lots of my time are contributed to Fedora L10n. But I am still glad to do
something helpful here.
7. Have you been able to make any weekly irc meetings? Do you find them
helpful or interesting?
Haven't attended any infrastructure weekly irc meetings.
8. Whats your most used command in your bash history?
(run:
cut -d\ -f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 |
sed 's/.*//g'
to see)
(if using zsh:
history 1| awk '{print $2}' | sort | uniq -c | sort -rn | head -n1
)
74 ssh
Mostly I use ssh to access my raspberry pi and my parents' machine, some
time I ssh to fedora-docs to fix some bugs.
--
Regards,
Tian Shixiong (Tiansworld)
Fedora Project Contributor
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: June status update for Fedora Infrastructure Apprentices
On Fri, 2014-06-06 at 13:23 -0600, Kevin Fenzi wrote: 0. Whats your fedora account system login? bochecha 1. Have you logged in and used your fi-apprentice membership to look at our machines/setup in the last month? Do you plan to? I did, looking at the way the lookaside cache is deployed in Puppet. 2. Has it helped you decide any area you wish to focus on or contribute to more? No, I knew already. 3. Have you looked at or been able to work on any of the fi-apprentice 'easyfix' tickets? https://fedorahosted.org/fedora-infrastructure/report/14 I didn't look. 4. Do you still wish to be a member of the group? Yes. 5. Is there any help or communication or ideas you have that would help you do any of the above? Can you make my days last 40 hours? :) 6. What do you find to be the hardest part of getting involved? Finding things to work on? Getting attention from others to help you? Finding tickets in your interest area? Nothing's hard, just need time to get things done. 7. Have you been able to make any weekly irc meetings? Do you find them helpful or interesting? I think I managed to make one. It was interesting. 8. Whats your most used command in your bash history? (run: cut -d\ -f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed 's/.*//g' to see) 531 git That came to me as a surprise, but thinking about it, it actually makes a lot of sense, given how often I use « git rebase -i » :) -- Mathieu ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: June status update for Fedora Infrastructure Apprentices
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Kevin -- let me know if I should move off this list since I'm back
working for Red Hat. I'm happy to stay but I'm definitely
well-integrated into Fedora now. :)
Anyway:
On 6/6/2014 3:23 PM, Kevin Fenzi wrote:
Greetings.
You are getting this email because you are in the 'fi-apprentice'
group in the fedora account system (or are reading this on the
infrastructure list).
Feel free to reply just directly to me, or cc the infrastructure
list for everyone to see and comment on.
https://fedoraproject.org/wiki/Infrastructure_Apprentice
At the first of every month(or so), I am going to be sending out
an email like this one. I would like feedback on how things are
going for you.
I'd like to ask for everyone to send me a quick reply with the
following data or anything related you can think of that might help
us make the apprentice program more useful.
0. Whats your fedora account system login?
oddshocks
1. Have you logged in and used your fi-apprentice membership to
look at our machines/setup in the last month? Do you plan to?
Working with cloud stuff right now
2. Has it helped you decide any area you wish to focus on or
contribute to more?
Working with cloud image uploading right now :)
3. Have you looked at or been able to work on any of the
fi-apprentice 'easyfix' tickets?
https://fedorahosted.org/fedora-infrastructure/report/14
Workin' on my own tickets ATM, but might file an easyfix or two on my
own project. I can help apprentices contribute no problem. :D
4. Do you still wish to be a member of the group? If not (for
whatever reason) could you provide any hints to help others down
the road?
See above. Possibly should graduate from this group.
5. Is there any help or communication or ideas you have that would
help you do any of the above?
Nope, all set!
6. What do you find to be the hardest part of getting involved?
Finding things to work on? Getting attention from others to help
you? Finding tickets in your interest area?
I'm definitely fully-involved now. :)
7. Have you been able to make any weekly irc meetings? Do you find
them helpful or interesting?
Every week! Infra and Cloud SIG. _Always_ helpful.
8. Whats your most used command in your bash history? (run: cut -d\
-f 1 ~/.bash_history | sort | uniq -c | sort -rn | head -n 1 | sed
's/.*//g' to see) (if using zsh: history 1| awk '{print $2}' |
sort | uniq -c | sort -rn | head -n1 )
Well, I just spun up this Fedora VM a few weeks back and have been
only using it for my Fedora work, but here goes: ... well, it's `ls`. ;)
BONUS: Useful alias: `alias sl=ls` ;)
Any other general feedback is also quite welcome, including
improvements to this email, the wiki page, etc.
Any folks I do not hear from in the next week will be removed from
the group. (Note that it's easy to be readded when you have time
or whatever and it's nothing at all personal, we just want to keep
the group up to date with active folks).
Thanks, and looking forward to your feedback!
kevin
___ infrastructure
mailing list infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTkxQ7AAoJEK95NtchimwTTNQH/jLsmOI1npdgBYJCwgoYUMuO
Z7QAdV+40GMGWp6acrYaczY/pfTt2ycGmSJ+27uFAf+bW8gNRcAJGBrFxa2EXhAV
F9apUASgisN/pJPeYt14tUA1wFqHPvh8xKYVPk3LlidHqGhef82DHl19x8bQ9atr
1ymh+esZBJNZwatffDm0vbmF00hHG+ce9MsHcWmZPOTQ0fFQQRD72SdnGvficqdm
SbTQxdbvzW7+5tD9FhUSuIPEtwDT/v/0W/cPPNq7V8N7k/a+NXJPt06CvJNu4TrX
Cmn+tZMOhRri2SJyrVy8vuyg0v6jsx7+ZfPzj87FNNJd05O+NH5p+KxE1pRXyxs=
=1yVX
-END PGP SIGNATURE-
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
Le mercredi 04 juin 2014 à 19:45 -0600, Tim Flink a écrit : I've been working to rewrite and extend the script that we've been using to control playbook execution for folks who are not in sysadmin-main. https://bitbucket.org/tflink/rbac-ansible I've been testing the script but before we actually start using it on lockbox01, I'd appreciate a review of the code to make sure I didn't miss any security holes. Injection attacks shouldn't be an issue due to usage of os.execv - all injection attempts are grouped as a single argument and will not be broken up. So, I just have one question. how does the option -P of the script is supposed to behave ? Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. Example, the playbook that deploy mediawiki would deploy mediawiki on my server, then i can go as root look at the mysql credentials deployed in the configuration file. Or I can look at the https certificates that were deployed, etc, etc. I do not know if such attack schema would matter for Fedora infra, but if the user running ansible ( after sudo, is sudoed a word ? ) has access to passwords that the initial user don't, and if there is no firewall internally ( ie, the tunnel trick would work, no firewall between lockbock and the server ), and if the attack/initial user can ssh to a server without much access, then, this would work. ( if not, I may just have won the Oscar for the most convoluted attack of the week ) -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
mmm, for your attack strategy to work, basically the attacker need to have enough permissions in the first place to be able to execute the playbook such that the playbooks have access to the mysql secret? And if he already has that kinda permission, then there is no need to do a setup first and then read it coz the attacker can read it upfront without doing the setup. I think this is controlled by the.. def can_run(acl, groups, playbook_file): ? On Sat, Jun 7, 2014 at 8:56 PM, Michael Scherer m...@zarb.org wrote: Le mercredi 04 juin 2014 à 19:45 -0600, Tim Flink a écrit : I've been working to rewrite and extend the script that we've been using to control playbook execution for folks who are not in sysadmin-main. https://bitbucket.org/tflink/rbac-ansible I've been testing the script but before we actually start using it on lockbox01, I'd appreciate a review of the code to make sure I didn't miss any security holes. Injection attacks shouldn't be an issue due to usage of os.execv - all injection attempts are grouped as a single argument and will not be broken up. So, I just have one question. how does the option -P of the script is supposed to behave ? Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. Example, the playbook that deploy mediawiki would deploy mediawiki on my server, then i can go as root look at the mysql credentials deployed in the configuration file. Or I can look at the https certificates that were deployed, etc, etc. I do not know if such attack schema would matter for Fedora infra, but if the user running ansible ( after sudo, is sudoed a word ? ) has access to passwords that the initial user don't, and if there is no firewall internally ( ie, the tunnel trick would work, no firewall between lockbock and the server ), and if the attack/initial user can ssh to a server without much access, then, this would work. ( if not, I may just have won the Oscar for the most convoluted attack of the week ) -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
Le samedi 07 juin 2014 à 21:28 +0530, Anshu Prateek a écrit : mmm, for your attack strategy to work, basically the attacker need to have enough permissions in the first place to be able to execute the playbook such that the playbooks have access to the mysql secret? And if he already has that kinda permission, then there is no need to do a setup first and then read it coz the attacker can read it upfront without doing the setup. Then why do we use sudo and a filtering script if a attacker can inject any playbook ? My understanding was that people did have to commit first before being able to run something ( in order to provide auditing ), and that the sudo user do have access to stuff that the user/attacker don't ( like ssh keys, for example ). My understanding was also that there is a private repo is not readable by everybody, with various password, but that the user running ansible ( ie, the one accessible by sudo ) can read. And that sudo is used to make sure the initial user can only run ansible, nothing ore. If these assumptions are false, yeah, the attacker is more complex than needed. But as the idea is to permit to people who are not in sysadmin-main to run playbooks, I think my assumptions are correct. -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
On Sat, Jun 07, 2014 at 04:26:45PM +0100, Michael Scherer wrote: Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I hope it still is. If the attacker was administrative access a host, then it could also be changed to forward connections to port 22 to another host. So even without being able to specify the port, this might be exploited. Regards Till ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
On Sat, 07 Jun 2014 17:48:16 +0100 Michael Scherer m...@zarb.org wrote: Le samedi 07 juin 2014 à 21:28 +0530, Anshu Prateek a écrit : mmm, for your attack strategy to work, basically the attacker need to have enough permissions in the first place to be able to execute the playbook such that the playbooks have access to the mysql secret? And if he already has that kinda permission, then there is no need to do a setup first and then read it coz the attacker can read it upfront without doing the setup. Then why do we use sudo and a filtering script if a attacker can inject any playbook ? They cannot. It requires them to be in the checked out location on lockbox that uses could only update by having root on lockbox or commiting to git. My understanding was that people did have to commit first before being able to run something ( in order to provide auditing ), and that the sudo user do have access to stuff that the user/attacker don't ( like ssh keys, for example ). My understanding was also that there is a private repo is not readable by everybody, with various password, but that the user running ansible ( ie, the one accessible by sudo ) can read. Yep. sudo is used to see if the user is allowed to run rbac-playbook at all, then it checks further before running ansible-playbook. And that sudo is used to make sure the initial user can only run ansible, nothing ore. well, rbac-playbook then ansible-playbook, but yeah. If these assumptions are false, yeah, the attacker is more complex than needed. But as the idea is to permit to people who are not in sysadmin-main to run playbooks, I think my assumptions are correct. Right. kevin signature.asc Description: PGP signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
On Sat, 7 Jun 2014 19:31:33 +0200 Till Maas opensou...@till.name wrote: As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I hope it still is. ...snip... It is. kevin signature.asc Description: PGP signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Review for new rbac_playbook
Le samedi 07 juin 2014 à 19:31 +0200, Till Maas a écrit : On Sat, Jun 07, 2014 at 04:26:45PM +0100, Michael Scherer wrote: Can i assume that I would be able to say use this playbook, but instead of using the port 22, use port 1234 without changing the playbook ? In this case, I think this would mean that if I can create a ssh tunnel on the remote server ( listening to port 1234 to a server I control, with ssh -L 1234:servericontrol:22 ), then I can make the playbook played on a server I control, which in turn mean that I would potentially get access to files with password that I may not have access too. As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I do not see that in /etc/ssh/ssh_config on lockbox ( could be in ~/.ssh/config however ), nor anything in /etc/ansible/ansible.cfg ( could again be a local config somewhere else ). I didn't find anything making see a different ~/.ssh/config, nor ~/.ansible/* , so I think the default is used, which is 'ask'. And after a quick crude test, if you have ssh listening on 2 ports, ssh will treat each as a different entry in known_hosts, and so ask again. ( or at least on my laptop, I didn't dig more given the hour, will try to search a bit more ). So while I am not affirmative at 100% ( again, could be different in the precise case of ansible in Fedora infra, could be one of the 360 lines of my own ssh config, could be me being tired ), I would not exclude a possible issue with what I do see. I hope it still is. If the attacker was administrative access a host, then it could also be changed to forward connections to port 22 to another host. So even without being able to specify the port, this might be exploited. -- Michael Scherer ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
