From: Greg Price <price@mit.edu>
Date: Wed, 31 Dec 2008 00:52:50 +0000 (-0500)
Subject: fix pts mem vulnerability, with new -encrypt option
X-Git-Tag: 0.0.16~2
X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/eb558ecccf88e5606ecb3f961b624dd33c4a1faf

fix pts mem vulnerability, with new -encrypt option

svn path=/trunk/packages/invirt-web/; revision=1947
---

diff --git a/code/getafsgroups.py b/code/getafsgroups.py
index 13f8cf7..a35a4f1 100644
--- a/code/getafsgroups.py
+++ b/code/getafsgroups.py
@@ -28,7 +28,7 @@ class AfsProcessError(Exception):
     pass
 
 def getAfsGroupMembers(group, cell):
-    p = subprocess.Popen(["pts", "membership", "-noauth", group, '-c', cell], 
+    p = subprocess.Popen(["pts", "membership", "-encrypt", group, '-c', cell],
                          stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     err = p.stderr.read()
     if err: #Error code doesn't reveal missing groups, but stderr does
diff --git a/config.todo b/config.todo
index a1f921c..b95a341 100644
--- a/config.todo
+++ b/config.todo
@@ -4,6 +4,7 @@ code/Makefile: base URI
 # may differ dev/prod?
 files/etc/apache2/sites-available/default: assumes trac
 files/etc/init.d/apache2.invirt: afs cell (for svn)
+invirt-cache-acls: aklog athena sipb
 code/templates/error.tmpl: xvm@mit.edu
 code/templates/help.tmpl: assumes trac
 code/templates/list.tmpl: XVM
diff --git a/debian/changelog b/debian/changelog
index 55a5caa..f7ad007 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,12 @@
 invirt-web (0.0.16) unstable; urgency=low
 
+  * Fix a security vulnerability: traditional `pts mem` is in cleartext
+    and could be spoofed.  Use new -encrypt option, which needs tokens.
+
   * make initscript stop command not leave apache2 processes lying around
     (so that restart works)
 
- -- Greg Price <price@mit.edu>  Fri, 19 Dec 2008 22:34:31 -0500
+ -- Greg Price <price@mit.edu>  Tue, 30 Dec 2008 17:31:48 -0500
 
 invirt-web (0.0.15) unstable; urgency=low
 
diff --git a/debian/invirt-web.cron.d b/debian/invirt-web.cron.d
index f1ef598..a27fb7b 100644
--- a/debian/invirt-web.cron.d
+++ b/debian/invirt-web.cron.d
@@ -5,4 +5,4 @@
 
 MAILTO=root
 
-*/5 * * * * www-data python /var/www/invirt-web/cache_acls.py
+*/5 * * * * www-data invirt-cache-acls
diff --git a/debian/invirt-web.install b/debian/invirt-web.install
index 9da31b3..a06ff56 100644
--- a/debian/invirt-web.install
+++ b/debian/invirt-web.install
@@ -1 +1,2 @@
 files/* .
+invirt-cache-acls /usr/bin/
diff --git a/invirt-cache-acls b/invirt-cache-acls
new file mode 100755
index 0000000..19673a7
--- /dev/null
+++ b/invirt-cache-acls
@@ -0,0 +1,4 @@
+#!/bin/sh
+kinit -k -t /etc/invirt/keytab daemon/$(hostname -f)
+aklog athena sipb
+python /var/www/invirt-web/cache_acls.py