From: Greg Price Date: Wed, 31 Dec 2008 00:52:50 +0000 (-0500) Subject: fix pts mem vulnerability, with new -encrypt option X-Git-Tag: 0.0.16~2 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/eb558ecccf88e5606ecb3f961b624dd33c4a1faf?ds=sidebyside fix pts mem vulnerability, with new -encrypt option svn path=/trunk/packages/invirt-web/; revision=1947 --- diff --git a/code/getafsgroups.py b/code/getafsgroups.py index 13f8cf7..a35a4f1 100644 --- a/code/getafsgroups.py +++ b/code/getafsgroups.py @@ -28,7 +28,7 @@ class AfsProcessError(Exception): pass def getAfsGroupMembers(group, cell): - p = subprocess.Popen(["pts", "membership", "-noauth", group, '-c', cell], + p = subprocess.Popen(["pts", "membership", "-encrypt", group, '-c', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE) err = p.stderr.read() if err: #Error code doesn't reveal missing groups, but stderr does diff --git a/config.todo b/config.todo index a1f921c..b95a341 100644 --- a/config.todo +++ b/config.todo @@ -4,6 +4,7 @@ code/Makefile: base URI # may differ dev/prod? files/etc/apache2/sites-available/default: assumes trac files/etc/init.d/apache2.invirt: afs cell (for svn) +invirt-cache-acls: aklog athena sipb code/templates/error.tmpl: xvm@mit.edu code/templates/help.tmpl: assumes trac code/templates/list.tmpl: XVM diff --git a/debian/changelog b/debian/changelog index 55a5caa..f7ad007 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,12 @@ invirt-web (0.0.16) unstable; urgency=low + * Fix a security vulnerability: traditional `pts mem` is in cleartext + and could be spoofed. Use new -encrypt option, which needs tokens. + * make initscript stop command not leave apache2 processes lying around (so that restart works) - -- Greg Price Fri, 19 Dec 2008 22:34:31 -0500 + -- Greg Price Tue, 30 Dec 2008 17:31:48 -0500 invirt-web (0.0.15) unstable; urgency=low diff --git a/debian/invirt-web.cron.d b/debian/invirt-web.cron.d index f1ef598..a27fb7b 100644 --- a/debian/invirt-web.cron.d +++ b/debian/invirt-web.cron.d @@ -5,4 +5,4 @@ MAILTO=root -*/5 * * * * www-data python /var/www/invirt-web/cache_acls.py +*/5 * * * * www-data invirt-cache-acls diff --git a/debian/invirt-web.install b/debian/invirt-web.install index 9da31b3..a06ff56 100644 --- a/debian/invirt-web.install +++ b/debian/invirt-web.install @@ -1 +1,2 @@ files/* . +invirt-cache-acls /usr/bin/ diff --git a/invirt-cache-acls b/invirt-cache-acls new file mode 100755 index 0000000..19673a7 --- /dev/null +++ b/invirt-cache-acls @@ -0,0 +1,4 @@ +#!/bin/sh +kinit -k -t /etc/invirt/keytab daemon/$(hostname -f) +aklog athena sipb +python /var/www/invirt-web/cache_acls.py